Verify the installation package

This task is only required if your organization requires you to verify authenticity before installing packages. These steps explain how to use GnuPG (GPG) to verify the PE installation tarball.

Before you begin: You must have GnuPG (GPG) installed to be able to sign for the release key. GPG is an open source program you can use to safely encrypt and sign digital communications. You can download GPG from the GnuPG website or use your package management system to install it by running something like: yum install gnupg
 
  1. Download the tarball appropriate to your operating system and architecture.
    To download packages from the command line, run wget --content-disposition "<URL>" or curl -JLO "<URL>", using the URL for the tarball you want to download.
  2. To import the Puppet public key, run:
    uri='https://downloads.puppet.com/puppet-gpg-signing-key-20250406.pub'

curl "$uri" | gpg --import
    For general information about forming curl commands, go to Using example commands.
  3. To print the key fingerprint, run:
    gpg --fingerprint 0x4528B6CD9E61EF26

    This command returns the primary key fingerprint. For example:

    D681 1ED3 ADEE B844 1AF5 AA8F 4528 B6CD 9E61 EF26
  4. Download the GPG SIGNATURE .asc file corresponding to your PE tarball. You can find links to these files on the PE Download page.
  5. To verify the installation package release signature, run:
    gpg --verify puppet-enterprise-<VERSION>-<PLATFORM>.tar.gz.asc
Results
The gpg --verify command returns something similar to:
gpg: Signature made <DATE_AND_TIME>
gpg: using RSA key <KEY_ID>
gpg: Good signature from "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>"

If you receive a warning that a valid key path couldn't be found, this means you don't have a trusted path to one of the signatures on the release key.

If you receive a warning that the key is not certified with a trusted signature, this means you haven't told GPG to trust the imported key. Refer to the GPG documentation for more information.

What to do next If you received the Good signature message, you can proceed to unpack the installation tarball and complete the installation, as outlined in Install PE from tarball.