Verify a source tarball or gem

You can manually verify the signature for Puppet source tarballs or Ruby gems.

1. Import the public key: gpg --keyserver hkp://keyserver.ubuntu.com:11371 --recv-key 4528B6CD9E61EF26

   If this is your first time running the gpg tool, it might fail to import the key after creating its configuration file and keyring. You can run the command a second time to import the key into your newly created keyring.

   The gpg tool imports the key:

   gpg: /home/username/.gnupg/trustdb.gpg: trustdb created
   gpg: key 4528B6CD9E61EF26: public key "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>" imported
   gpg: Total number processed: 1
   gpg:               imported: 1

2. Verify the fingerprint: gpg --list-key --fingerprint 4528B6CD9E61EF26

   The fingerprint of the Puppet release signing key is D681 1ED3 ADEE B844 1AF5 AA8F 4528 B6CD 9E61 EF26. Ensure the fingerprint listed matches this value.

3. Download the tarball or gem and its corresponding .asc file from https://downloads.puppet.com/puppet/.
4. Verify the tarball or gem, replacing <VERSION> with the Puppet version number, and <FILE TYPE> with tar.gz for a tarball or gem for a Ruby gem: gpg --verify puppet-<VERSION>.<FILE TYPE>.asc puppet-<VERSION>.<FILE TYPE>

   The output confirms that the signature matches:

   gpg: Signature made Mon 09 Nov 2020 12:19:14 PM PST using RSA key ID 9E61EF26
   gpg: Good signature from "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>"

   If you haven't set up a trust path to the key, you receive a warning that the key is not certified. If you’ve verified the fingerprint of the key, GPG has verified the archive’s integrity; the warning simply means that GPG can’t automatically prove the key’s ownership.