Software Delivery Repository

Software Delivery Repository   |   Getting Started   |   FAQ  |  Repositories

Package Signature Verification

All software packages provided by HPE are cryptographically signed for your protection. By enrolling HPE's public keys with your software package manager (rpm/yum/apt/zypper), you'll know the packages you're installing are in fact from HPE, and have not been modified by anyone else. For more information on HPE cryptographic signatures, please refer to HPE Linux Code Signing Services .



 

hpPublicKey1024.pub

hpPublicKey2048.pub

hpPublicKey2048_key1.pub

hpePublicKey2048_key1.pub

(install all four)

HPE Public Keys

It is suggested that you enroll all keys to verify current and older versions of packages hosted in SDR repositories:

      hpPublicKey1024.pubfor packages published through 2013fingerprint: 2689B887
      hpPublicKey2048.pubfor packages published during 2014fingerprint: 5CE2D476
      hpPublicKey2048_key1.pubfor packages published during 2015fingerprint: B1275EA3
      hpePublicKey2048_key1.pubfor packages published after 2015fingerprint: 26C2B797


Enroll keys for RPM-based systems

Issue the following commands to enroll all keys on your rpm-based system:


rpm --import http://downloads.linux.hpe.com/SDR/hpPublicKey1024.pub
rpm --import http://downloads.linux.hpe.com/SDR/hpPublicKey2048.pub
rpm --import http://downloads.linux.hpe.com/SDR/hpPublicKey2048_key1.pub
rpm --import http://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub


Enroll keys for DEB-based systems

Issue the following commands to enroll all keys on your deb-based system:


curl http://downloads.linux.hpe.com/SDR/hpPublicKey1024.pub | apt-key add -
curl http://downloads.linux.hpe.com/SDR/hpPublicKey2048.pub | apt-key add -
curl http://downloads.linux.hpe.com/SDR/hpPublicKey2048_key1.pub | apt-key add -
curl http://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub | apt-key add -



Verify an rpm package signature

# rpm --checksig hpacucli-9.40-12.0.x86_64.rpm
hpacucli-9.40-12.0.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK


Verify an apt archive

Debs are differnt from rpms in that they are not directly signed. Instead, the apt index, which contains package checksums, is signed and verified. If "apt-get update" completes without a GPG error, your keys were installed correctly.


Use "apt-key list" to confirm your HPE public keys are enrolled:


# apt-key list
pub 2048R/26C2B797 2015-12-10 [expires: 2025-12-07]
uid Hewlett Packard Enterprise Company RSA-2048-25 <signhp@hpe.com>

pub 1024D/2689B887 2005-03-11 [expires: 2015-03-09]
uid Hewlett-Packard Company (HP Codesigning Service)

pub 2048R/5CE2D476 2012-12-04 [expires: 2022-12-02]
uid Hewlett-Packard Company RSA (HP Codesigning Service)

pub 2048R/B1275EA3 2014-11-19 [expires: 2024-11-16]
uid Hewlett-Packard Company RSA (HP Codesigning Service) - 1


Contact