Verifying downloads (Legacy)
UPDATE 2021-11-04: We have issued new signing subkeys
The fingerprint of our keyring is E0F4 A329 FEEA 90C7 7F07 C694 87ED 1FBF D489 F615
pub rsa4096/0x87ED1FBFD489F615 2018-08-27 [SC] [expires: 2026-10-29]
Key fingerprint = E0F4 A329 FEEA 90C7 7F07 C694 87ED 1FBF D489 F615
uid [ unknown] Doppler <doppler@nettec.no>
sub nistp256/0x5AF445739CDEBA7F 2021-05-30 [S] [expires: 2024-05-29]
sub nistp256/0x6EFA34C3F686D102 2021-05-30 [E] [expires: 2024-05-29]
sub nistp384/0xBDE8B0A9869023C4 2021-10-30 [S] [expires: 2026-10-29]
sub nistp384/0x2B5B356C9E9942DF 2021-10-30 [S] [expires: 2026-10-29]
Download the CHECKSUMS.SHA256, CHECKSUMS.SHA256.sig in addition to the
onprem ova package, and place them in the same directory.
Download our signing key
Import the Doppler signing key from a keyserver of your choice, in this example we’re using the OpenPGP.org keyserver
$ curl https://keys.openpgp.org/vks/v1/by-fingerprint/E0F4A329FEEA90C77F07C69487ED1FBFD489F615 | gpg --import
gpg: key 87ED1FBFD489F615: public key "Doppler <doppler@nettec.no>" imported
gpg: Total number processed: 1
gpg: imported: 1
Alternatively you can download the key.
$ gpg --import < 87ED1FBFD489F615.asc
Verify the downloaded package
Verify the signature of the CHECKSUMS.SHA256 file. It’s important to verify that the fingerprint matches.
$ gpg --verify CHECKSUMS.SHA256.sig CHECKSUMS.SHA256
gpg: Signature made Fri 30 Aug 2019 12:55:06 PM UTC
gpg: using RSA key C7C16565E9953A36595541175A40BFD23CB76E64
gpg: issuer "doppler@nettec.no"
gpg: Good signature from "Doppler <doppler@nettec.no>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E0F4 A329 FEEA 90C7 7F07 C694 87ED 1FBF D489 F615
Subkey fingerprint: C7C1 6565 E995 3A36 5955 4117 5A40 BFD2 3CB7 6E64
Finally, verify that the checksum of the Doppler On-Prem package
$ sha256sum -c CHECKSUMS.SHA256
doppler-onprem-v19.9.10.5.p.ova: OK
All set!