Security

RPM packages to install and run orcharhino are signed by GPG keys with either of the following fingerprints.

orcharhino content

ATIX AG signs RPM packages:

pub   rsa4096 2015-08-03 [SC]
      CA56F29E00060B63D0890D0F5BD96651DF50FFFB
uid                      ATIX AG <info@atix.de>

Additionally, ATIX AG publishes the checksum of the ISO image on Offline Installations and Upgrades in the ATIX Service Portal.

AlmaLinux 9.6 ISO images

AlmaLinux signs RPM packages and the checksums files of AlmaLinux ISO images:

pub   rsa4096 2022-01-18 [SC]
      BF18AC2876178908D6E71267D36CB86CB86B3716
uid                      AlmaLinux OS 9 <packager@almalinux.org>
sub   rsa4096 2022-01-18 [E]
Oracle Linux 9.6 ISO images

Oracle signs RPM packages and the *.checksum files of Oracle Linux ISO images:

pub   rsa4096 2022-01-19 [SC] [expires: 2042-01-14]
      982231759C7467065D0CE9B2A7DD07088B4EFBE6
uid                      Oracle Linux (backup key 1) <secalert_us@oracle.com>
sub   rsa4096 2022-01-19 [E] [expires: 2041-06-02]

For more information, see linux.oracle.com/security/gpg.

Red Hat Enterprise Linux 9.6 ISO images

Red Hat signs RPM packages:

pub   rsa4096 2009-10-22 [SC]
      567E347AD0044ADE55BA8A5F199E2F91FD431D51
uid           [ unknown] Red Hat, Inc. (release key 2) <security@redhat.com>

pub   rsa4096 2022-03-09 [SC]
      7E4624258C406535D56D6F135054E4A45A6340B3
uid           [ unknown] Red Hat, Inc. (auxiliary key 3) <security@redhat.com>
Puppet

Puppet content for orcharhino Server and orcharhino Proxy Servers on OCC is signed by Puppet:

pub   rsa4096 2019-04-08 [SC]
      D6811ED3ADEEB8441AF5AA8F4528B6CD9E61EF26
uid                      Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
sub   rsa4096 2019-04-08 [E]
Salt

Salt content for orcharhino Server and orcharhino Proxy Servers on OCC is signed by Salt:

pub   rsa3072 2023-02-01 [SC]
      10857FFDD3F91EAE577A21D664CBBC8173D76B3F
uid                      Salt Project Packaging <saltproject-packaging@vmware.com>
sub   rsa3072 2023-02-01 [E]

Verifying ISO Image downloads

You can verify the integrity of ISO images:

  • Verify the checksum of the ISO image to ensure that the ISO has not been corrupted during the download.

  • Verify the signature of the checksum to ensure that the ISO has been built by the original vendor.

Prerequisites

  • gpg 2.3.3 or later

  • sha256sum via GNU coreutils 8.32 or later

Procedure

  1. On your local host, download the ISO image, GPG public key, and signed CHECKSUMS file:

    $ curl https://example.com/CHECKSUMS
$ curl https://example.com/gpg-pub-key.asc
$ curl https://example.com/os.iso

  2. Verify the sha256 checksum of the ISO image:

    $ shasum --ignore-missing --check CHECKSUMS

  3. Verify the signature of the CHECKSUMS file:

    $ gpg --verify CHECKSUMS

Only continue using the ISO image if the ISO image matches the expected checksum and if the checksum has been signed by the correct GPG key pair.