Installation Package Integrity Verification
This document uses ARM64 architecture as a reference to introduce installation package integrity verification. The process is similar for AMD64 architecture.
Introduction
To confirm whether the installation package has data incompleteness or has been tampered with due to network connections, storage devices, malicious attacks, and other reasons during transmission, it is necessary to verify the integrity of the installation package after obtaining it. Only installation packages that have passed verification can be deployed.
Here, we determine whether the installation package is complete by comparing the checksum value recorded in the verification file with the manually calculated checksum value of the installation package file; the legitimacy of the verification file is verified through the signature file and PGP public key. The complete trust chain is shown below.
PGP public key fingerprint --> PGP public key --> Signature file --> Checksum file --> Installation packagePrerequisites
Before verifying the integrity of the installation package, the following files need to be prepared.
- openFuyao community PGP public key:
openfuyao.gpg, Click to download. - Installation package file:
bkeadm_linux_arm64, Click to download. - sha256 checksum file:
bkeadm_linux_arm64.sha256, Click to download. - gpg signature file:
bkeadm_linux_arm64.sha256.asc, Click to download.
Operation Guide
Place the above four files in the same directory. The file integrity verification steps are as follows.
When downloading the PGP public key for the first time, you need to execute the following command to import the public key.
shellgpg --import openfuyao.gpgAfter the import is complete, execute the following command to obtain the public key fingerprint information.
shellgpg --list-keys --with-fingerprint --with-subkey-fingerprint contact@openfuyao.cnThe primary key fingerprint should be:
F273 197F 8173 4FDF 93E6 67AB CD64 988D 25B2 1CF9. If the output fingerprint information does not match, the PGP public key may have been tampered with and needs to be re-obtained.Execute the following command to verify the legitimacy of the sha256 checksum file.
shellgpg --verify bkeadm_linux_arm64.sha256.asc bkeadm_linux_arm64.sha256After the command is executed, if the output contains
Good signature from "openFuyao <contact@openfuyao.cn>", and the fingerprint information of the primary key is consistent with that described above, the sha256 checksum file is legitimate. Otherwise, the sha256 file may have been tampered with and needs to be re-obtained.Execute the following command to verify the integrity of the installation package file.
shellsha256sum -c <(cat bkeadm_linux_arm64.sha256) < bkeadm_linux_arm64After the command is executed, if the output is
-: OK, it means the integrity of the installation package file has not been compromised. Otherwise, the installation package integrity has been compromised and needs to be re-obtained.
Licensed under the MulanPSL2
YueGongWangAnBei No.44030002007300