Software Delivery Repository


Software Delivery Repository   |   vibsdepot   |   Getting Started   |   HPE Downloads


File Checksum Verification

Starting from June 2019 release, an HPE signed checksum file which contains the checksum values for each release will be provided for your protection. By importing HPE's public key with GNU Privacy Guard(GnuPG), you can verify both the signature and the checksum values, ensure that the files you have downloaded are in fact from HPE, and have not been modified by anyone else.




 

hpePublicKey.pub

(install key)

Download HPE Public Key and GnuGPG Tool

Before you start verifying files hosted in hpe repository, you will need to:
1) Download the GnuGPG tool and install it on a local Windows or Linux system.
2) Download the HPE Public Key.


  GNU Privacy Guard | Binary Download  | Free Software: can be freely used, modified and distributed under the terms of the GNU GPL.

  HPE Public Key    | hpePublicKey.pub | Key-ID: 26C2B797 | Fingerprint: 57446EFDE098E5C934B69C7DC208ADDE26C2B797



Import the public key

Import the public key one at a time using the '--import' flag of the gpg command:


  # gpg --import <path_to_the_key.pub>

  # gpg --import http://vibsdepot.hpe.com/hpePublicKey.pub

  gpg: key C208ADDE26C2B797: public key "Hewlett Packard Enterprise Company RSA-2048-25 <signhp@hpe.com>" imported
  gpg: Total number processed: 1
  gpg: imported: 1



Set the trust level for the key

In order to overcome the WARNING message while verifying signature, you need to trust the HPE Public Key.
Please follow the below steps to trust the key by setting the trust level to 'ultimate'.


  ====Warning Message=================================================
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg: There is no indication that the signature belongs to the owner.
  ====================================================================

  # gpg --list-keys           //list the imported keys

  # gpg --list-keys

  <key_store_path>/pubring.gpg
  ------------------------------------------------
  pub rsa2048 2015-12-10 [SCEA] [expires: 2025-12-07]
      57446EFDE098E5C934B69C7DC208ADDE26C2B797
  uid [ultimate] Hewlett Packard Enterprise Company RSA-2048-25 <signhp@hpe.com>


  # gpg --edit-key <KeyID> //edit the selected key

  # gpg --edit-key 57446EFDE098E5C934B69C7DC208ADDE26C2B797

  gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.

  pub rsa2048/C208ADDE26C2B797
  created: 2015-12-10 expires: 2025-12-07 usage: SCEA
  trust: ultimate validity: ultimate
  [ultimate] (1). Hewlett Packard Enterprise Company RSA-2048-25 <signhp@hpe.com>


  # gpg> trust               //set the trust level for the key

  # gpg> trust

  Please decide how far you trust this user to correctly verify other users' keys
  (by looking at passports, checking fingerprints from different sources, etc.)
    1 = I don't know or won't say
    2 = I do NOT trust
    3 = I trust marginally
    4 = I trust fully
    5 = I trust ultimately
    m = back to the main menu

  Your decision? 5           //set to level 5(trust ultimately)
  Do you really want to set this key to ultimate trust? (y/N) y

  gpg> quit


  # gpg --list-key           //check the key status again

  # gpg --list-key

  <key_store_path>/pubring.gpg
  ------------------------------------------------
  pub rsa2048 2015-12-10 [SCEA] [expires: 2025-12-07]
      57446EFDE098E5C934B69C7DC208ADDE26C2B797
  uid [ultimate] Hewlett Packard Enterprise Company RSA-2048-25 <signhp@hpe.com>



Verify the checksum

Before you start verifying checksum values of the files hosted in hpe repository, you will need to:
1) Download both the 'checksums.txt' and 'checksums.txt.sig' from the desired release folder:
    http://vibsdepot.hpe.com/hpe/<ReleaseFolder>/checksums.txt (.sig)
    For example: http://vibsdepot.hpe.com/hpe/jun2019/checksums.txt (.sig)
2) Download the checksum tools: md5sum for Linux system or fciv for Windows system.
    Verify the results by comparing the checksum values generated.


  # cat <ChecksumFile>

  # cat checksums.txt (OR) # type checksums.txt

  8d9be471943d565a9c6fd0cfbb1dbf39 ./esxi-650-bundles/esxi6.5-util-bundle-3.4.0-12.zip
  93582ad38348551f92899ec68ff3513c ./esxi-650-bundles/esxi6.5uX-mgmt-bundle-3.4.0-14.zip
  0701d384de63a7d1bdd2b3c896beff14 ./esxi-650-devicedrivers/VMW-ESX-6.5.0-bnxt-214.0-11864071.zip
  ......

  # md5sum <filename>

  # md5sum esxi6.5-util-bundle-3.4.0-12.zip

  8d9be471943d565a9c6fd0cfbb1dbf39 esxi6.5-util-bundle-3.4.0-12.zi


  # fciv.exe <filename>

  # fciv.exe VMW-ESX-6.5.0-bnxt-214.0-11864071.zip

  //
  // File Checksum Integrity Verifier version 2.05.
  //
  0701d384de63a7d1bdd2b3c896beff14 VMW-ESX-6.5.0-bnxt-214.0-11864071.zip



Verify the signature

Validate and verify the digital signature of the signed file. The output from the command indicates the validity of the signature.


  # gpg --verify <filename.sig> <filename>

  # gpg --verify checksums.txt.sig checksums.txt

  gpg: Signature made Tue 01 Nov 2016 04:48:47 PM UTC using RSA key ID 5CE2D476
  gpg: Good signature from "Hewlett Packard Enterprise Company RSA 2048 1"



Contact