This page describes the signing process we use when building RabbitMQ release packages, and how to verify the signatures on packages you download.
gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys 0x6B73A36E6026DFCA
or you can download the key from our website directly:
wget https://www.rabbitmq.com/rabbitmq-release-signing-key.asc gpg --import rabbitmq-release-signing-key.asc
For Debian repos:
apt-key adv --keyserver hkps.pool.sks-keyservers.net --recv-keys 0x6B73A36E6026DFCA
Now you should be able to check signatures for our packages. The appropriate command for checking a detached signature is
gpg --verify filename.asc filename
Here's an example session, after having retrieved a RabbitMQ source archive and its associated detached signature from the download area:
$ gpg --verify rabbitmq-server_3.6.2-1_all.deb.asc rabbitmq-server_3.6.2-1_all.deb gpg: Signature made Thu 12 May 2016 11:18:49 AM BST gpg: using RSA key 0xEDF4AE3B59B046FA gpg: using subkey 0xEDF4AE3B59B046FA instead of primary key 0x6B73A36E6026DFCA gpg: using PGP trust model gpg: Good signature from "RabbitMQ Signing Key <firstname.lastname@example.org>" [full] Primary key fingerprint: 4E30 C634 2FB4 AF5C 6334 2330 79A1 D640 D80A 61F0 Subkey fingerprint: 5EC4 26E8 A6F3 523D D924 8FC8 EDF4 AE3B 59B0 46FA gpg: binary signature, digest algorithm SHA512
If the signature is invalid, you will see a "BAD signature" message, and you should not use the package.
If the signature is valid, you should expect a "Good signature" message; if you've not signed our key, you will see a "Good signature" message along with a warning about our key being untrusted.
If you trust our key, you can avoid the warning output by GnuPG by signing it using your own key (to create your private key run gpg --gen-key):
gpg --sign-key 0x6B73A36E6026DFCA