Pivotal Knowledge Base

Follow

How to Check CF CLI Integrity

Environment

  • CF CLI all versions
  • Windows and Linux Operating Systems

Purpose

The purpose of this article is to show how to check the CF CLI package integrity.

Procedure

Instructions for Windows

CF CLI team signs the binaries and the installer IIRC with a CloudFoundry.org certificate, so if the file has not been modified, you can see the Digital Signature tab when seeing the file properties. If the files are not correct, you would not see it.

Instructions for Linux

The public key can be downloaded from https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key.

rpm

The RPMs are signed with the private key and the way to check the integrity and authenticity can be done as follows.

$ sudo rpm --import cli.cloudfoundry.org.key
$ rpm -K  cf-cli-installer_6.26.0_x86-64.rpm
cf-cli-installer_6.26.0_x86-64.rpm: rsa sha1 (md5) pgp md5 OK

Where cli.cloudfoundry.org.key is the key downloaded from the provided link.

<>yum

For yum packages, it is not common to sign the binaries. Instead, the repo file (containing the fingerprints) itself signed.

apt-get

apt-get validates that signature using the key above (which you can validate yourself, it's signed in turn by a public CA).

deb 

deb packages are not signed, so there is not any way to check authenticity.

 

Comments

Powered by Zendesk