This guide covers RabbitMQ release packages signing and how to verify the signatures on downloaded release artifacts.
Release signing allows users to verify that the artifacts they have downloaded were published by a trusted party (such as a team or package distribution service). This can be done using GPG command line tools. Package management tools such as
yum also verify repository signatures.
Services that distribute packages can do signing on behalf of the publisher. Package Cloud is one such service used by RabbitMQ. Users who provision packages from Package Cloud must import the Package Cloud-provided signing keys instead of those used by the RabbitMQ team.
Before signatures can be verified, RabbitMQ signing key must be downloaded. The key can be obtained directly or using keys.openpgp.org. The direct download method is recommended because most key servers are prone to overload, abuse and attacks.
curl -L https://github.com/rabbitmq/signing-keys/releases/download/2.0/rabbitmq-release-signing-key.asc --output rabbitmq-release-signing-key.asc gpg --import rabbitmq-release-signing-key.asc
The key can be imported from keys.openpgp.org:
gpg --keyserver "hkps://keys.openpgp.org" --recv-keys "0x0A9AF2115F4687BD29803A206B73A36E6026DFCA"
gpg --keyserver "keyserver.ubuntu.com" --recv-keys "0x0A9AF2115F4687BD29803A206B73A36E6026DFCA"
gpg --keyserver "pgp.surfnet.nl" --recv-keys "0x0A9AF2115F4687BD29803A206B73A36E6026DFCA"
gpg --keyserver "pgp.mit.edu" --recv-keys "0x0A9AF2115F4687BD29803A206B73A36E6026DFCA"
On Debian and Ubuntu systems, assuming that apt repositories are used for installation, trusted repository signing keys must be added to the system before any packages can be installed.
This can be done using key servers or (for the RabbitMQ main signing key) a direct download.
curl -1sLf https://github.com/rabbitmq/signing-keys/releases/download/2.0/rabbitmq-release-signing-key.asc | sudo gpg --dearmor > /usr/share/keyrings/com.rabbitmq.team.gpg
The same main RabbitMQ signing key can be imported from keys.openpgp.org:
curl -1sLf "https://keys.openpgp.org/vks/v1/by-fingerprint/0A9AF2115F4687BD29803A206B73A36E6026DFCA" | sudo gpg --dearmor > /usr/share/keyrings/com.rabbitmq.team.gpg
## Team RabbitMQ's main signing key curl -1sLf "https://keys.openpgp.org/vks/v1/by-fingerprint/0A9AF2115F4687BD29803A206B73A36E6026DFCA" | sudo gpg --dearmor > /usr/share/keyrings/com.rabbitmq.team.gpg ## Launchpad PPA that provides modern Erlang releases curl -1sLf "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xf77f1eda57ebb1cc" | sudo gpg --dearmor > /usr/share/keyrings/net.launchpad.ppa.rabbitmq.erlang.gpg ## PackageCloud RabbitMQ repository curl -1sLf "https://packagecloud.io/rabbitmq/rabbitmq-server/gpgkey" | sudo gpg --dearmor > /usr/share/keyrings/io.packagecloud.rabbitmq.gpg
On RPM-based systems (RHEL, Fedora, CentOS), assuming that yum repositories are used for installation,
rpm --import should be used to import the key.
rpm --import https://github.com/rabbitmq/signing-keys/releases/download/2.0/rabbitmq-release-signing-key.asc
To check signatures for the packages, download the RabbitMQ signing key and a signature file. Signature files use the
.asc extension that follows their artifact filename, e.g. the signature file of
rabbitmq-server-generic-unix-3.9.3.tar.xz would be
gpg --verify [filename].asc [filename]
Here's an example session, after having retrieved a RabbitMQ source archive and its associated detached signature from the download area:
gpg --verify rabbitmq-server_3.9.3-1_all.deb.asc rabbitmq-server_3.9.3-1_all.deb gpg: Signature made Wed Aug 11 16:20:14 2021 MSK gpg: using RSA key 0A9AF2115F4687BD29803A206B73A36E6026DFCA gpg: using subkey 0xEDF4AE3B59B046FA instead of primary key 0x6B73A36E6026DFCA gpg: using PGP trust model gpg: Good signature from "RabbitMQ Signing Key <firstname.lastname@example.org>" [full] Primary key fingerprint: 4E30 C634 2FB4 AF5C 6334 2330 79A1 D640 D80A 61F0 Subkey fingerprint: 5EC4 26E8 A6F3 523D D924 8FC8 EDF4 AE3B 59B0 46FA gpg: binary signature, digest algorithm SHA512
If the signature is invalid, a "BAD signature" message will be emitted. If that's the case the origin of the package, the signature file and the signing key should be carefully verified. Packages that fail signature verification must not be used.
If the signature is valid, you should expect a "Good signature" message; if you've not signed our key, you will see a "Good signature" message along with a warning about our key being untrusted.
If you trust the RabbitMQ signing key you avoid the warning output by GnuPG by signing it using your own key (to create your private key run
gpg --sign-key 0x0A9AF2115F4687BD29803A206B73A36E6026DFCA
Cloudsmith.io is a hosted package distribution service that uses their own signing keys to sign the artifacts uploaded to it. The key(s) then must be added to the system.
Cloudsmith provides repository setup script that include signing key import. However, note that the script does not currently follow Debian best practices in terms of GPG key handling.
To import the key:
# import the Cloudsmith key curl -1sLf https://dl.cloudsmith.io/public/rabbitmq/rabbitmq-server/gpg.9F4587F226208342.key -o cloudsmith-rabbitmq-key.asc gpg --import cloudsmith-rabbitmq-key.asc
Package Cloud is a hosted package distribution service that uses their own signing keys to sign the artifacts uploaded to it. The key(s) then must be added to the system.
Package Cloud provides repository setup script that include signing key import. However, note that the script does not currently follow Debian best practices in terms of GPG key handling.
To import the key:
# import the PackageCloud key curl -1sLf https://packagecloud.io/rabbitmq/rabbitmq-server/gpgkey -o packagecloud-rabbitmq-key.asc gpg --import packagecloud-rabbitmq-key.asc