Signature verification

The integrity and authenticity of the downloaded file can be verified by performing the signature check. VyOS provides two signature checks i.e GPG and Minisign.

Commands:

 minisign -VP $pub_key -m $File_to_Verify

 gpg –verify $signature_file $File_to_Verify 

Example:

Download the image file and signature file to your local device and execute the following commands:

vyos@vyos# minisign -VP RWTR1ty93Oyontk6caB9WqmiQC4fgeyd/ejgRxCRGd2MQej7nqebHneP -m vyos-1.2.8-cloud-init-vmware.ova
Signature and comment signature verified
Trusted comment: timestamp:1648648775   file:vyos-1.2.8-cloud-init-vmware.ova

The public key for minisign is located at this path: /usr/share/vyos/keys/vyos-release.minisign.pub.

 vyos@vyos:~$  sudo gpg --verify vyos-1.3.1-amd64.iso.asc vyos-1.3.1-amd64.iso
 gpg: Signature made Sat 19 Mar 2022 05:59:36 PM UTC
 gpg:                using RSA key 0694A9230F5139BF834BA458FD220285A0FE6D7E
 gpg: Good signature from "VyOS Maintainers (VyOS Release) " [unknown]
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
 Primary key fingerprint: 0694 A923 0F51 39BF 834B  A458 FD22 0285 A0FE 6D7E

The Good signature message indicates that the file signature is valid. If you see any other warning related to the key which is normal.