Package Signing Key¶
Note
We are progressively migrating builds to a new signing key. This document has been updated to reflect the new key. See the bottom of the document for the old key.
Some of the packages and installation repositories hosted on drivers.suse.com are digitally signed with a package signing key. In order for SUSE installer to verify the authenticity and integrity of the packages or repositories the public key needs to be installed on the system.
Purpose¶
The purpose of the signing key is to enable users to validate the authenticity and integrity of the packages or repositories to be installed. The SolidDriver Signing key authenticates the following:
Package or repository was built in the official SUSE SolidDriver Program build service.
Packages are fully supported by SUSE and Partner company under the same terms of support delivered with SUSE Linux Enterprise server products.
The contents of the package has not been tampered or modified by a third party
Installation¶
SUSE recommends verifying all package signatures of all software before deploying on SUSE Linux Enterprise installations. The SUSE package installer (YaST or zypper) will do this automatically. The public key must be installed as trusted before the installer can verify packages signed with the key. If they key is not installed rpm will output the following warning when installing a package signed with this key:
warning: example.rpm: Header V3 RSA/SHA256 signature: NOKEY, key ID c2bea7e6
Also rpm --checksig will fail with the following output:
# rpm --checksig example.rpm
example.rpm: RSA sha1 (MD5) (PGP) md5 NOT OK (MISSING KEYS: PGP#c2bea7e6)
To avoid the installation warning, and to be able to verify packages signed with the SUSE SolidDriver key, Download the public key from here and install it using the following command:
# rpm --import soliddriver-pubkey-53824036-64390f02.asc
The key can also be installed directly from the drivers.suse.com server:
# rpm --import http://drivers.suse.com/keys/soliddriver-pubkey-53824036-64390f02.asc
After the key is imported, you can validate the packages by running the
rpm --checksig command. A valid signed package would give the
following:
# rpm --checksig pldp-example.rpm
pldp-example.rpm: rsa sha1 (md5) pgp md5 OK
Installing Driver Kits¶
Driver kits (driver installation repositories) hosted on drivers.suse.com may also be signed with this key When installing the driver kit on a system where this key was not previously installed, the following (or simlar) message will occur:
New repository or package signing key received:
Key ID: 4C77ECBB53824036
Key Name: SUSE SolidDriver Signing Key <soliddriver@suse.com>
Key Fingerprint: 5085584A1378FDB6BB6433A54C77ECBB53824036
Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r):
In this case, the key’s fingerprint is displayed and can be used to validate the signature manually. Find the SUSE SolidDriver (PLDP) signing key fingerprint below.
Signing key fingerprint¶
pub rsa4096/53824036 2023-04-14 [SC] [expires: 2033-04-11]
Key fingerprint = 5085 584A 1378 FDB6 BB64 33A5 4C77 ECBB 5382 4036
uid SUSE SolidDriver Signing Key <soliddriver@suse.com>
Public key¶
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGQ5DwIBEADEXezUuRXzef1/13pDf217siJzVvppObBgiP1VL6/oLXhg2Bi1
muPCcXpmcsVUWdd6VwsBZX7nZfjBzky7uZsFqWsiQ8ZTPY0STnTcSXpQiAl76SF/
FAg/k+tR2SLfqqwlcRMO3A4RZ5CgVpO+1w0YKpY0LLoH24CaKH3QkVK2gOVh/nt5
D/cLFKBQenenBELpfXZC0Yb81Kzv9vEhmTOOKS1uUaAPo/ITUJb1Eoo+Qbt+kyBN
oTPrwhQs6W3c/MDG6cvnFzqs+TpFqNBQ1d7L5oD5SGM1izq44Lw67thrTFAGku2Z
8L+9pX5UhgUoGjy/uDZM4BeNfyrs70s7j7Lhx9K/wJ3WTKnp7wtAs2j6RwNkw43y
KYXPo86zykweZTbJAKqbXVFAX0yWKj+MQ7zGwCE6BJcb9QrA+qAtUFllwB4cVXmT
3/cY5SOqUJ+wa/Hrt2G8F8Ca02jBgRlbiDhWfAc1ZUD2tyvpF6PQWuCRZStw1OkX
nIheDLR6qzIMgpifX70d+lbgUfb1YNOxtcxntYTr1vlCkDn9clEKovtL3bg2wT5P
NLtU29EVYzIOenbp9RzFaq8c+I2R1GHbzlwVar5NetxXWH33iYvfDT1CULBwHHEO
92SSO5JEl0oqpKGy/PVtut3ebc+Tb3qAO+5YhCw7ui55HwZ80rVwXRC+hwARAQAB
tDNTVVNFIFNvbGlkRHJpdmVyIFNpZ25pbmcgS2V5IDxzb2xpZGRyaXZlckBzdXNl
LmNvbT6JAlQEEwEIAD4WIQRQhVhKE3j9trtkM6VMd+y7U4JANgUCZDkPAgIbAwUJ
EswDAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBMd+y7U4JANnfUEAC02IKX
naW1wi21HjmiQBBKdbX5UCljIvpYXO7emTaOixIuyflKoIozAGgC7sHKw9l+APcX
oT36HrrqNaKQLBkFLxbflZP99IwKdlPNyc7dDVMx4YHwX1fIGlsW74TBCaMYCDWx
zXVIAjDaAdtlgqDJwO/VR9CwY+91fvIlSgNerOH3onFbwgWXVpTvgex3LnmkkfZb
My14mpUJ1sXYoWbS1R33FpQPYDPOYbYRRj54OBMBZ5nLa4PmdstgGAZGQzGa3oug
msIW21PWlxqvnJcdk9I9Ia3Dc9y+H2DdQSS+p3g2YJl6mgIMIg9O4BdN6BKw0w/I
1q6Q7J72zzsLPVJIhc9vKsl1+XvdVCzWGULSsa9fpICPT1fIKJVhF2OL2UHaPdIT
0jTajDEpsZXjXd7jXtwPuE9xQRTHmnWkJfP6bEOiL4zQD7jTzcshR0jYK5iU323A
sTVXMK8QFXfcuAOOYe9p6Xy++zbWPJvv3gsPvs7fraV/FRexsvytrRnbn+yCkaIK
HLn431D4L7ANSQdXJkJkFLF2gmh34md7oknXHkYWSPeeAqysr82S0NaTGFq8Iu53
j0HA6SlFHB6P5QCzgsUIiRroQ1HIqA2avm7py/L07tVdSXFZYqRXU6TeCIcVekuM
Sn5vcPBSzvc+vuPvZYzF1G/HzUvSNHP8BTL92Q==
=9sw7
-----END PGP PUBLIC KEY BLOCK-----
Old Key¶
Signing key fingerprint¶
pub 2048R/C2BEA7E6 2010-07-02 [expires: 2014-07-01]
Key fingerprint = D598 57D5 CA00 58DA 627C 5D77 7914 4284 C2BE A7E6
uid PLDP Signing Key
Public key¶
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5 (GNU/Linux)
mQENBEwt4mQBCACj+PiwTSoAXAo5bIaH5pyn3XuapCCgYFB7NFcNfS0DJiCbKCh0
835VKX52ThL85KGcJ3dKmyXiUAK/DVO9gWotUBkHo9vBhpOygyWEf2RHntSACRYc
L/ffykl0QjRm9dUX5/0aj6H9OI0lsPInSkkfX04EhmhytdK8dPHKlB1SoBGY0ERX
Y/gmfXp77dyisB1VnOeHHWnag6hynUSBsenYUoBs7TZYNeat93clLOWisH1sQnS4
BB51n6RtKy1IrA8CXds7prFdDKgN4YinGlGNVxDGcM9rC7yE+vl/WqgXYMKSz2Gq
+HrMvoGrx1xdeNhXceCNh+6CTmRzzh0W3VU7ABEBAAG0H1BMRFAgU2lnbmluZyBL
ZXkgPHBsZHBAc3VzZS5kZT6JATwEEwECACYFAkwt4mQCGwMFCQeEzgAGCwkIBwMC
BBUCCAMEFgIDAQIeAQIXgAAKCRB5FEKEwr6n5mz6B/4ucUNWl4UY+1r2cBtPy2qm
UZPPuLibkoyaI6mRyU1acqgjyMb79EFAX9SMc3EY5Pp6VeIlvPSf09EVZsnTSOH/
CcEv00h1fYHPRuZOUnvtGEWnEbBWDq1GFjUy0mz6M6xGdswpPX8PAAaDYJcjbt4w
vtv6D+xhZv8we3mIR1GME7uRExqVO9PPOcRMDyvT6uTPWmasxVCxukSWy0NqfmJx
fCvXjXPaQOEBOYu6Cg+gpMyeMvbBYHNZrmzgX8MMmL6KwhUCp9hbsNUWqB1rLJ+g
fxKqgE1uoaur/npCFaZTIBsiCPsIKp7Ne7jzrER8QNx0JLq9ZnGhXLs4PffxFdP+
=Sf/y
-----END PGP PUBLIC KEY BLOCK-----