Code signature verification

• Home
• About us
• Products
• Services
• News
• Events
• Contact us

Customers can verify that the signed code they have received is indeed from Buzzinbees and that it has not been manipulated in any way by a third party. The software has been signed with a digital private key only held by Buzzinbees.

Verification using RPM

The rpm command can be used to verify your software. Copy and paste the Buzzinbees public key shown below into a new file named BuzzinbeesPublicKey.pub and then install it on your system. To correctly copy the key, highlight all text below, starting with -----BEGIN PGP PUBLIC KEY BLOCK----- and continuing through and including -----END PGP PUBLIC KEY BLOCK-----. You can then verify that the public and private keys match your signed file, which will confirm the integrity and origin of your file.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5 (GNU/Linux)

mQGiBEuodpMRBACIGA2ncZZ6aIF3660HAYlq+NqLjfEMTTg5CwzctNjNRPePQ0Ce
37Bx5jjnqw0VgihfFryUmBdc7I2zt48n8os+KXI7Q4mrDUEiFdHgPs3Cp6QwFM3w
8A1a11YZitDAvHqNt+hUk+WMDNjiS+f/gP5WVvu/N28BHUUpZDhRpD0mjwCgt1/1
tiILbqQoU1WwW/EtUnvPQm0D/i1oI4ZQVGThnSs5HVl87j70E4GiT7lxtQD4iWX0
2iXV6R1NeuR30IU3XTvXKtpuETrirupKbO+l+OaN9TGh1TmSAny/u4Ls3aOrW4BU
DXwsCPvQhAsxQ810VQFwrBSTTtnkAq8cHdZVk0+77ORA3rkvLwa9IBYgO1iqzSNI
XdF0A/0bclFvNwMfm6DSz2c4aWDQsX6hRZzH1Vf7l5n1mWTq+z0anZUcWzzOg2PK
Ljfo0+nfvXOekDYsBZOQTJpzAkhcUfmTDF3Od5KdVs/bP7TQZfAJCaPAPC/8lAfA
Mi2XrANQ2lFAN4flCA4z2tp+meo7aWjA4ODbGZjS+fkApIB4frQKQnV6emluYmVl
c4hgBBMRAgAgBQJLqHaTAhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQwHmQ
qbqrBA6aGgCdEv75an1n2nR0OfEehUQNp+Bk13IAnAsWlMbYmb72P6wOgracEQeT
2pK8uQINBEuodpkQCACelExh8QFg13TALkmy086TbjKj5qm16d9GGqiqaFn9JUDz
QhlzQCuOB0KAD0WIedXwaXiz2ejpK2DAz3JnnlbealYq0LNWTvYSFfTqW0QgP+yh
hxh6gNWhP3d7+XCHMrLFa7PpKK7Ws6RBTj44mdJmjI4B4gSBhdShbbpZQPJrqSnL
0Ws9/Nt+LXQa4HoHAdIA2PVZYCmPLjeM8Sdo6kXWKkFlykWFOlUr96iz99c7gp/8
YrwhWO1WzU4sCA201taxjisqUbO/9DwEzI/tMVw1q1S6OQM5m3eVPfx2fbdGCHxI
Q1C/lALZ8J/8nBGdVnN4MNT1ylMg4ZqowMwNp1+TAAMGB/4u2F530X06V+S7mHHy
lAwoiJraRNBqI/NfAKSF24CxC+5mpsyJkgWhMlQezZyv/S19MtYQ0oMGja0kJZzG
6+GO24Cqrw1bjggrurHTUPe75kqrvt1Ti9RMZ1bYKKJUySpn+86Ty+YF1lBx46mx
2NTcsdWDOdjzJpI3GIvT6Dj2cByu+FEWJgGK03jUOXl0P5fgvyxTWqb5Wd06g9Em
a7KltH3WIEoCIxHns8IU4T0vj1ZIFkzomruO7ij/CL4D37C0IIGlsMNCSC9LopLA
raLDCfS6DRfxJWN76hQygdk498CxGih5mFGHFkGrlre0/tqbUARxsTF5pGJOT9fF
2t1LiEkEGBECAAkFAkuodpkCGwwACgkQwHmQqbqrBA7lIACdHyr2oj80ONmkckGs
u140ccZU0M8An14T9gcpNrrzYBiwkw/Z+AVayD0T
=pcGd
-----END PGP PUBLIC KEY BLOCK-----
 

Install the public key using the --import flag of the rpm command, running as root:

# rpm --import BuzzinbeesPublicKey.pub

Use the rpm --checksig command to validate and verify the digital signature of the signed file. The output from the command indicates the validity of the signature:

# rpm --checksig file.rpm
file.rpm: (sha1) dsa sha1 md5 gpg OK

If your file does not pass verification or you do not have the Buzzinbees public key installed, you may see an error:

# rpm --checksig badfile2.rpm
badfile2.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: key#s)

In this case then do not install the rpm. This means the file has been modified in some way since being released from Buzzinbees.

Verification using GPG

In order to verify files signed with GPG, first copy and paste the Buzzinbees public key shown above into a new file named BuzzinbeesPublicKey.pub and then install it on your system, setting the appropriate trust level. You can then verify that the public and private keys match your signed file, which will confirm the integrity and origin of your file.

Install Buzzinbees's public key using the --import flag of the gpg command:

# gpg --import buzzinbeesPublicKey.pub

Now use the gpg --verify command to validate and verify the digital signature of the signed file. The output from the command indicates the validity of the signature. In this case, there is the file that was used to create the signature and also a separate signature file:

# gpg --verify filename.sig filename

If the level of trust on the key has not been set, you will see a trust level warning similar to this:

gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

Because you have downloaded the key from this site, and this site is SSL secured by Buzzinbees, you can ultimately trust that this public key is indeed from Buzzinbees. Then edit the key to set the trust level of the key for proper verification.

# gpg --edit-key "Buzzinbees"

Type the command trust, and select 5 for trusting the key ultimately. Confirm and quit.

From now on, you should not see the warning about an untrusted identity when verifying the signature.