GPG Signatures
Jump to navigation
Jump to search
Funtoo Linux stage tarballs are signed using GPG by the build server they are built on. The following keys are used to create detached binary signatures ending in .gpg of each stage tarball:
| GPG key name/email | GPG comment | GPG Key ID | Fingerprint | GPG Key Type |
|---|---|---|---|---|
Daniel Robbins drobbins@funtoo.org | metro:node | 11FD00FD | 70AC BB6B FEE7 BC57 2A89 41D1 9266 C4FA 11FD 00FD | 4096-bit RSA (no expiry) |
Daniel Robbins drobbins@funtoo.org | metro:excavator | 683A2F8A | E8C5 7481 5DC1 74AF 5A9E 8385 3AA5 CA5E 683A 2F8A | 4096-bit RSA (no expiry) |
In turn, these public keys are signed by the Funtoo Linux master signing key:
| GPG key name/email | GPG comment | GPG Key ID | Fingerprint | GPG Key Type |
|---|---|---|---|---|
Daniel Robbins drobbins@funtoo.org | BDFL | E986E8EE | D3B9 48F8 2EE8 B402 0A04 1078 9A65 8306 E986 E8EE | 4096-bit RSA (no expiry) |
To verify the integrity of stage3 tarballs using GPG, first download your preferred stage3 taball, and the matching file with the additional .gpg extension in the same directory. Then perform the following steps:
root # gpg --recv-key 11FD00FD root # gpg --recv-key 683A2F8A root # gpg --verify stage3-latest.tar.xz.gpg stage3-latest.tar.xz
You should see output similar to this:
gpg: Signature made Sat 10 Dec 2016 08:46:41 PM MST using RSA key ID 4FF347DD gpg: Good signature from "Daniel Robbins (metro:excavator) <drobbins@funtoo.org>" [ultimate]