Validate software

To help protect IT infrastructures, you can validate software packages that you download to ensure that they are free of tampering. You can also validate digital signatures that are applied to software packages.

Validate download integrity

For SCM, software packages are made available for online distribution by using the Puppet Forge complyadm module. This module is used for installing, configuring, and managing SCM 3.0 and later. SCM is set up by using Docker images.

In an air-gapped environment, you can use a Bolt plan to access the SCM software as a secure offline bundle.

As with PE, SCM enables organizations to verify authenticity by using the Gnu Privacy Guard (GPG) standard to safely encrypt and sign digital communications on download and installation. For instructions about accessing the signatures and using GPG, see Verify the installation package.