Pivotal Knowledge Base


How to Check CF CLI Integrity


  • CF CLI all versions
  • Windows and Linux Operating Systems


The purpose of this article is to show how to check the CF CLI package integrity.


Instructions for Windows

CF CLI team signs the binaries and the installer IIRC with a CloudFoundry.org certificate, so if the file has not been modified, you can see the Digital Signature tab when seeing the file properties. If the files are not correct, you would not see it.

Instructions for Linux

The public key can be downloaded from https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key.


The RPMs are signed with the private key and the way to check the integrity and authenticity can be done as follows.

$ sudo rpm --import cli.cloudfoundry.org.key
$ rpm -K  cf-cli-installer_6.26.0_x86-64.rpm
cf-cli-installer_6.26.0_x86-64.rpm: rsa sha1 (md5) pgp md5 OK

Where cli.cloudfoundry.org.key is the key downloaded from the provided link.


For yum packages, it is not common to sign the binaries. Instead, the repo file (containing the fingerprints) itself signed.


apt-get validates that signature using the key above (which you can validate yourself, it's signed in turn by a public CA).


deb packages are not signed, so there is not any way to check authenticity.



Powered by Zendesk