Menu

Signatures

This page describes the signing process we use when building RabbitMQ release packages, and how to verify the signatures on packages you download.

When we build package archive files, both binary and source, we digitally sign them using GnuPG and our public signing key.

Importing the signing key

First, you need to import our gpg key. You can do that using SKS Keyservers Pool:

gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys 0x6B73A36E6026DFCA

or you can download the key directly from our site:

wget https://www.rabbitmq.com/rabbitmq-release-signing-key.asc
gpg --import rabbitmq-release-signing-key.asc

or Bintray:

wget https://dl.bintray.com/rabbitmq/Keys/rabbitmq-release-signing-key.asc
gpg --import rabbitmq-release-signing-key.asc

For installation via Debian (apt) repositories, use apt-key:

apt-key adv --keyserver hkps.pool.sks-keyservers.net --recv-keys 0x6B73A36E6026DFCA

Checking signatures

Now you should be able to check signatures for our packages. The appropriate command for checking a detached signature is

gpg --verify filename.asc filename

Here's an example session, after having retrieved a RabbitMQ source archive and its associated detached signature from the download area:

gpg --verify rabbitmq-server_3.6.2-1_all.deb.asc rabbitmq-server_3.6.2-1_all.deb
gpg: Signature made Thu 12 May 2016 11:18:49 AM BST
gpg:                using RSA key 0xEDF4AE3B59B046FA
gpg: using subkey 0xEDF4AE3B59B046FA instead of primary key 0x6B73A36E6026DFCA
gpg: using PGP trust model
gpg: Good signature from "RabbitMQ Signing Key <[email protected]>" [full]
Primary key fingerprint: 4E30 C634 2FB4 AF5C 6334  2330 79A1 D640 D80A 61F0
     Subkey fingerprint: 5EC4 26E8 A6F3 523D D924  8FC8 EDF4 AE3B 59B0 46FA
gpg: binary signature, digest algorithm SHA512

If the signature is invalid, you will see a "BAD signature" message, and you should not use the package.

If the signature is valid, you should expect a "Good signature" message; if you've not signed our key, you will see a "Good signature" message along with a warning about our key being untrusted.

If you trust our key, you can avoid the warning output by GnuPG by signing it using your own key (to create your private key run gpg --gen-key):

gpg --sign-key 0x6B73A36E6026DFCA