Skip to main content
Version: v25.06

Installation Package Integrity Verification

This section uses the integrity verification of the openFuyao v25.06 installation package for openEuler 22.03 on the Arm64 architecture as an example. The integrity verification procedure is the same for other operating systems and architectures.

Introduction

To ensure that the installation package has not been corrupted or tampered with during transmission due to network issues, storage failures, or malicious attacks, integrity verification must be performed after obtaining the package. Only packages that pass the verification can be deployed.

The integrity verification is performed by comparing the verification value recorded in the verification file with the manually calculated verification value of the installation package to determine whether the installation package is complete. The validity of the verification file is verified by the signature file and the PGP public key. The following figure shows a complete chain of trust.

PGP public key fingerprint --> PGP public key --> Signature file --> Verification file --> Installation package

Prerequisites

Before verifying the integrity of the installation package, prepare the following files:

Procedure

Place the preceding four files in the same directory. To verify the file integrity, perform the following steps:

  1. If you are downloading the PGP public key for the first time, run the following command to import the public key:

    gpg --import openfuyao.gpg

    After the import is complete, run the following command to obtain the public key fingerprint information:

    gpg --list-keys --with-fingerprint --with-subkey-fingerprint team@openfuyao.com

    The master key fingerprint should be 4743 8CDC EE76 7323 72F8 D5C5 DD99 08AE B20D ED08, and the subkey fingerprint should be 0C07 D0B8 1725 C954 E7F1 EDA6 A308 9BE4 BA44 FC4F. If the output fingerprint information is incorrect, the PGP public key may be tampered with. In this case, you need to obtain the PGP public key again.

  2. Run the following command to verify the validity of the SHA256 verification file:

    gpg --verify bkeadm_linux_arm64.sha256.asc bkeadm_linux_arm64.sha256

    After the command is executed, if the command output contains Good signature from "openFuyao <team@openfuyao.com>" and the fingerprint information about the master key and subkey is the same as that described above, the SHA256 verification file is valid. Otherwise, the SHA256 file may have been tampered with. In this case, you need to obtain the file again.

  3. Run the following command to check the file integrity of the installation package:

    mkdir -p bin/linux/arm64
    mv bkeadm_linux_arm64 bin/linux/arm64/
    sha256sum -c bkeadm_linux_arm64.sha256

    If bin/linux/arm64/bkeadm_linux_arm64: OK is displayed in the command output, the file integrity of the installation package is not damaged. Otherwise, the integrity of the installation package is damaged. In this case, you need to obtain the installation package again.

Input image descriptionNOTE
The SHA256 file verifies the path of the installation package. Therefore, you need to ensure that the path of the installation package is correct. If the path does not exist, add a path and move the installation package to the new path.