Software Delivery Repository

Software Delivery Repository   |   Getting Started   |   FAQ  |  Repositories

Package Signature Verification

All software packages provided by HPE are cryptographically signed for your protection. By enrolling HPE's public keys with your software package manager (rpm/yum/apt/zypper), you'll know the packages you're installing are in fact from HPE, and have not been modified by anyone else. For more information on HPE cryptographic signatures, please refer to HPE Linux Code Signing Services .



 

hpPublicKey2048_key1.pub

hpePublicKey2048_key1.pub

hpePublicKey2048_key2.pub

(install all three)

HPE Public Keys

It is suggested that you enroll all keys to verify current and older versions of packages hosted in SDR repositories:

      hpPublicKey2048_key1.pubfor packages published during 2015fingerprint: B1275EA3
      hpePublicKey2048_key1.pubfor packages published after 2015fingerprint: 26C2B797
      hpePublicKey2048_key2.pubfor packages published after 2024fingerprint: 74C3A4A2


Enroll keys for RPM-based systems

Issue the following commands to enroll all keys on your rpm-based system:


rpm --import https://downloads.linux.hpe.com/SDR/hpPublicKey2048_key1.pub
rpm --import https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub
rpm --import https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key2.pub


Enroll keys for DEB-based systems

Issue the following commands to enroll all keys on your deb-based system and save them to a shared keyring file:


curl https://downloads.linux.hpe.com/SDR/hpPublicKey2048_key1.pub | gpg --dearmor | sudo tee -a /usr/share/keyrings/hpePublicKey.gpg > /dev/null
curl https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub | gpg --dearmor | sudo tee -a /usr/share/keyrings/hpePublicKey.gpg > /dev/null
curl https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key2.pub | gpg --dearmor | sudo tee -a /usr/share/keyrings/hpePublicKey.gpg > /dev/null

(Make sure your APT repository entry includes the "[signed-by=/usr/share/keyrings/hpePublicKey.gpg]" option to enable proper signature verification.)



Verify an rpm package signature

# rpm --checksig hpacucli-9.40-12.0.x86_64.rpm
hpacucli-9.40-12.0.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK


Verify an apt archive

Debs are differnt from rpms in that they are not directly signed. Instead, the apt index, which contains package checksums, is signed and verified. If "apt-get update" completes without a GPG error, your keys were installed correctly.


Use "gpg --list-keys --keyring /usr/share/keyrings/hpePublicKey.gpg" to confirm your HPE public keys have been successfully saved to the shared keyring file:


# gpg --list-keys --no-default-keyring --keyring /usr/share/keyrings/hpePublicKey.gpg
pub 4096R/74C3A4A2 2024-09-05 [expires: 2034-09-05]
uid Hewlett Packard Enterprise Company 2024-10-1 <signhp@hpe.com>

pub 2048R/26C2B797 2015-12-10 [expires: 2025-12-07]
uid Hewlett Packard Enterprise Company RSA-2048-25 <signhp@hpe.com>

pub 2048R/B1275EA3 2014-11-19 [expires: 2024-11-16]
uid Hewlett-Packard Company RSA (HP Codesigning Service) - 1


Contact