Menu

Signatures

Intro

This guide covers RabbitMQ release packages signing and how to verify the signatures on downloaded release artifacts.

Release signing allows users to verify that the artifacts they have downloaded were published by a trusted party (such as a team or package distribution service). This can be done using GPG command line tools. Package management tools such as apt and yum also verify repository signatures.

Signing Keys

RabbitMQ release artifacts, both binary and source, are signed using GnuPG and our release signing key.

Services that distribute packages can do signing on behalf of the publisher. Package Cloud is one such service used by RabbitMQ. Users who provision packages from Package Cloud must import the Package Cloud-provided signing keys instead of those used by the RabbitMQ team.

Importing Signing Keys

With GPG

Before signatures can be verified, RabbitMQ signing key must be downloaded. This can be done using the SKS keyservers pool:

gpg --keyserver "hkps.pool.sks-keyservers.net" --recv-keys "0x6B73A36E6026DFCA"

Alternatively the key can be downloaded directly from GitHub or Bintray or rabbitmq.com:

curl -L https://github.com/rabbitmq/signing-keys/releases/download/2.0/rabbitmq-release-signing-key.asc --output rabbitmq-release-signing-key.asc
gpg --import rabbitmq-release-signing-key.asc

With apt

On Debian and Ubuntu systems, assuming that apt repositories are used for installation, apt-key should be used to import the keys:

apt-key adv --keyserver hkps.pool.sks-keyservers.net --recv-keys 0x6B73A36E6026DFCA

Verifying Signatures

To check signatures for the packages, download the RabbitMQ signing key and a signature file. Signature files use the .asc extension that follows their artifact filename, e.g. the signature file of rabbitmq-server-generic-unix-3.7.8.tar.xz would be rabbitmq-server-generic-unix-3.7.8.tar.xz.asc. Then use gpg --verify:

gpg --verify [filename].asc [filename]

Here's an example session, after having retrieved a RabbitMQ source archive and its associated detached signature from the download area:

gpg --verify rabbitmq-server_3.7.8-1_all.deb.asc rabbitmq-server_3.7.8-1_all.deb
gpg: Signature made Thu Sep 20 16:32:33 2018 BST
gpg:                using RSA key 6B73A36E6026DFCA
gpg: using subkey 0xEDF4AE3B59B046FA instead of primary key 0x6B73A36E6026DFCA
gpg: using PGP trust model
gpg: Good signature from "RabbitMQ Signing Key <[email protected]>" [full]
Primary key fingerprint: 4E30 C634 2FB4 AF5C 6334  2330 79A1 D640 D80A 61F0
     Subkey fingerprint: 5EC4 26E8 A6F3 523D D924  8FC8 EDF4 AE3B 59B0 46FA
gpg: binary signature, digest algorithm SHA512

If the signature is invalid, a "BAD signature" message will be emitted. If that's the case the origin of the package, the signature file and the signing key should be carefully verified. Packages that fail signature verification must not be used.

If the signature is valid, you should expect a "Good signature" message; if you've not signed our key, you will see a "Good signature" message along with a warning about our key being untrusted.

If you trust the RabbitMQ signing key you avoid the warning output by GnuPG by signing it using your own key (to create your private key run gpg --gen-key):

gpg --sign-key 0x6B73A36E6026DFCA

Package Cloud

Package Cloud is a hosted package distribution service that uses their own signing keys to sign the artifacts uploaded to it. The key(s) then must be imported with GPG, apt-key and similar tools. Package Cloud provides repository setup script that include signing key import.

As of late 2018 Package Cloud is undergoing a signing key migration. Instead of relying on a "master key", projects will migrate to use repository-specific signing keys. Before the migration is completed, both old and new key must be imported for forward compatibility:

# import the new PackageCloud key that will be used starting December 1st, 2018 (GMT)
curl -L https://packagecloud.io/rabbitmq/rabbitmq-server/gpgkey \
  -O packagecloud-rabbitmq-key.asc -s
gpg --import packagecloud-rabbitmq-gpg-key.asc

# import the old PackageCloud key that will be discontinued on December 1st, 2018 (GMT)
curl -L https://packagecloud.io/gpg.key \
  -O packagecloud-legacy-key.asc -s
gpg --import packagecloud-legacy-key.asc

After importing both keys please follow the Package Cloud repository setup instructions.

Getting Help and Providing Feedback

If you have questions about the contents of this guide or any other topic related to RabbitMQ, don't hesitate to ask them on the RabbitMQ mailing list.

Help Us Improve the Docs <3

If you'd like to contribute an improvement to the site, its source is available on GitHub. Simply fork the repository and submit a pull request. Thank you!