Software Delivery Repository

Software Delivery Repository   |   Getting Started   |   FAQ  |  Repositories

Package Signature Verification

All software packages provided by HPE are cryptographically signed for your protection. By enrolling HPE's public keys with your software package manager (rpm/yum/apt/zypper), you'll know the packages you're installing are in fact from HPE, and have not been modified by anyone else. For more information on HPE cryptographic signatures, please refer to HPE Linux Code Signing Services .



 

hpPublicKey2048_key1.pub

hpePublicKey2048_key1.pub

hpePublicKey2048_key2.pub

(install all three)

HPE Public Keys

It is suggested that you enroll all keys to verify current and older versions of packages hosted in SDR repositories:

      hpPublicKey2048_key1.pubfor packages published during 2015fingerprint: B1275EA3
      hpePublicKey2048_key1.pubfor packages published after 2015fingerprint: 26C2B797
      hpePublicKey2048_key2.pubfor packages published after 2024fingerprint: 74C3A4A2


Enroll keys for RPM-based systems

Issue the following commands to enroll all keys on your rpm-based system:


rpm --import https://downloads.linux.hpe.com/SDR/hpPublicKey2048_key1.pub
rpm --import https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub
rpm --import https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key2.pub


Enroll keys for DEB-based systems

Issue the following commands to enroll all keys on your deb-based system:


curl https://downloads.linux.hpe.com/SDR/hpPublicKey2048_key1.pub | apt-key add -
curl https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub | apt-key add -
curl https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key2.pub | apt-key add -



Verify an rpm package signature

# rpm --checksig hpacucli-9.40-12.0.x86_64.rpm
hpacucli-9.40-12.0.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK


Verify an apt archive

Debs are differnt from rpms in that they are not directly signed. Instead, the apt index, which contains package checksums, is signed and verified. If "apt-get update" completes without a GPG error, your keys were installed correctly.


Use "apt-key list" to confirm your HPE public keys are enrolled:


# apt-key list
pub 4096R/74C3A4A2 2024-09-05 [expires: 2034-09-05]
uid Hewlett Packard Enterprise Company 2024-10-1 <signhp@hpe.com>

pub 2048R/26C2B797 2015-12-10 [expires: 2025-12-07]
uid Hewlett Packard Enterprise Company RSA-2048-25 <signhp@hpe.com>

pub 2048R/B1275EA3 2014-11-19 [expires: 2024-11-16]
uid Hewlett-Packard Company RSA (HP Codesigning Service) - 1


Contact