Skip to main content
Version: v25.09

Installation Package Integrity Verification

This section uses the integrity verification of the latest openFuyao installation package for openEuler v22.03 on the Arm64 architecture as an example. The integrity verification procedure is the same for other operating systems (OSs) and architectures.

Introduction

To ensure that the installation package has not been corrupted or tampered with during transmission due to network issues, storage failures, or malicious attacks, integrity verification must be performed after the package is obtained. The package can be deployed only after it passes the verification.

The integrity verification is performed by comparing the verification value recorded in the verification file with the manually calculated verification value of the installation package to determine whether the installation package is complete. The validity of the verification file is verified by the signature file and the PGP public key. The following information shows the complete chain of trust.

PGP public key fingerprint > PGP public key > Signature file > Verification file > Installation package

Prerequisites

The following files have been prepared:

  • openFuyao community PGP public key: openfuyao.gpg. Download
  • Installation package: bkeadm_linux_arm64. Download
  • SHA256 verification file: bkeadm_linux_arm64.sha256. Download
  • GPG signature file: bkeadm_linux_arm64.sha256.asc. Download

Procedure

Place the preceding four files in the same directory. To verify the file integrity, perform the following steps:

  1. If the PGP public key is downloaded for the first time, run the following command to import the public key:

    gpg --import openfuyao.gpg

    After the import is complete, run the following command to obtain the public key fingerprint information:

    gpg --list-keys --with-fingerprint --with-subkey-fingerprint team@openfuyao.com

    The master key fingerprint should be 4743 8CDC EE76 7323 72F8 D5C5 DD99 08AE B20D ED08, and the child key fingerprint should be 0C07 D0B8 1725 C954 E7F1 EDA6 A308 9BE4 BA44 FC4F. If the output fingerprint information is incorrect, the PGP public key may be tampered with. In this case, you need to obtain the PGP public key again.

  2. Run the following command to verify the validity of the SHA256 verification file:

    gpg --verify bkeadm_linux_arm64.sha256.asc bkeadm_linux_arm64.sha256

    If the command output contains Good signature from "openFuyao <team@openfuyao.com>" and the fingerprint information of the master key and child key is the same as that described above, the SHA256 verification file is valid. Otherwise, the SHA256 verification file may have been tampered with. In this case, you need to obtain the file again.

  3. Run the following commands to verify the integrity of the installation package:

    mkdir -p bin/linux/arm64
    mv bkeadm_linux_arm64 bin/linux/arm64/
    sha256sum -c bkeadm_linux_arm64.sha256

    If bin/linux/arm64/bkeadm_linux_arm64: OK is displayed in the command output, the integrity of the installation package is not damaged. Otherwise, the integrity of the installation package is damaged. In this case, you need to obtain the installation package again.

Input image description NOTE
The SHA256 file verifies the path of the installation package. Therefore, you need to ensure that the path of the installation package is correct. If the path does not exist, add a path and move the installation package to the new path.