Signature verification

Created by Yuriy Andamasov, Modified on Thu, 27 Apr, 2023 at 6:00 AM by Aslan Hajiyev

The integrity and authenticity of the downloaded file can be verified by performing the signature check. VyOS provides two signature checks i.e GPG and Minisign.

Commands:

 minisign -VP $pub_key -m $File_to_Verify

 gpg –verify $signature_file $File_to_Verify 

Example:

Download the image file and signature file to your local device and execute the following commands:

vyos@vyos# minisign -VP RWTR1ty93Oyontk6caB9WqmiQC4fgeyd/ejgRxCRGd2MQej7nqebHneP -m vyos-1.2.8-cloud-init-vmware.ova
Signature and comment signature verified
Trusted comment: timestamp:1648648775   file:vyos-1.2.8-cloud-init-vmware.ova

The public key for minisign is located at this path: /usr/share/vyos/keys/vyos-release.minisign.pub.

 vyos@vyos:~$  sudo gpg --verify vyos-1.3.1-amd64.iso.asc vyos-1.3.1-amd64.iso
gpg: Signature made Sat 19 Mar 2022 05:59:36 PM UTC
gpg: using RSA key 0694A9230F5139BF834BA458FD220285A0FE6D7E
gpg: Good signature from "VyOS Maintainers (VyOS Release) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0694 A923 0F51 39BF 834B A458 FD22 0285 A0FE 6D7E

The Good signature message indicates that the file signature is valid. If you see any other warning related to the key which is normal.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article