Manually verify packages

Puppet signs most of its packages, Ruby gems, and release tarballs with GNU Privacy Guard (GPG). This signature proves that the packages originate from Puppet and have not been compromised. Security-conscious users can use GPG to verify package signatures.

Tip:
Certain operating systems and installation methods automatically verify package signatures. In these cases, you don’t need to do anything to verify the package signature.
  • If you install from the Puppet Yum and Apt repositories, the release package that enables the repository also installs our release signing key. The Yum and Apt tools automatically verify the integrity of packages as you install them.

  • If you install a Windows agent using an .msi package, the Windows installer automatically verifies the signature before installing the package.


Verify a source tarball or gem

You can manually verify the signature for Puppet source tarballs or Ruby gems.

  1. Import the public key: gpg --keyserver hkp://keyserver.ubuntu.com:11371 --recv-key 4528B6CD9E61EF26
    Tip: If this is your first time running the gpg tool, it might fail to import the key after creating its configuration file and keyring. You can run the command a second time to import the key into your newly created keyring.
    The gpg tool imports the key:
    gpg: /home/username/.gnupg/trustdb.gpg: trustdb created
    gpg: key 4528B6CD9E61EF26: public key "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>" imported
    gpg: Total number processed: 1
    gpg:               imported: 1
  2. Verify the fingerprint: gpg --list-key --fingerprint 4528B6CD9E61EF26

    The fingerprint of the Puppet release signing key is D681 1ED3 ADEE B844 1AF5 AA8F 4528 B6CD 9E61 EF26. Ensure the fingerprint listed matches this value.

  3. Download the tarball or gem and its corresponding .asc file from https://downloads.puppet.com/puppet/.
  4. Verify the tarball or gem, replacing <VERSION> with the Puppet version number, and <FILE TYPE> with tar.gz for a tarball or gem for a Ruby gem: gpg --verify puppet-<VERSION>.<FILE TYPE>.asc puppet-<VERSION>.<FILE TYPE>
    The output confirms that the signature matches:
    gpg: Signature made Mon 09 Nov 2020 12:19:14 PM PST using RSA key ID 9E61EF26
    gpg: Good signature from "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>"
    Tip: If you haven't set up a trust path to the key, you receive a warning that the key is not certified. If you’ve verified the fingerprint of the key, GPG has verified the archive’s integrity; the warning simply means that GPG can’t automatically prove the key’s ownership.

Verify an RPM package

RPM packages include an embedded signature, which you can verify after importing the Puppet public key.

  1. Import the public key: gpg --keyserver hkp://keyserver.ubuntu.com:11371 --recv-key 4528B6CD9E61EF26
    Tip: If this is your first time running the gpg tool, it might fail to import the key after creating its configuration file and keyring. You can run the command a second time to import the key into your newly created keyring.
    The gpg tool imports the key:
    gpg: /home/username/.gnupg/trustdb.gpg: trustdb created
    gpg: key 4528B6CD9E61EF26: public key "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>" imported
    gpg: Total number processed: 1
    gpg:               imported: 1
  2. Verify the fingerprint: gpg --list-key --fingerprint 4528B6CD9E61EF26

    The fingerprint of the Puppet release signing key is D681 1ED3 ADEE B844 1AF5 AA8F 4528 B6CD 9E61 EF26. Ensure the fingerprint listed matches this value.

  3. Retrieve the Puppet public key and place it in a file on your node.
  4. Use the RPM tool to import the public key, replacing <PUBLIC KEY FILE> with the path to the file containing the public key: sudo rpm --import <PUBLIC KEY FILE>

    The RPM tool doesn’t output anything if the command is successful.

  5. Use the RPM tool to check the signature of a downloaded RPM package: sudo rpm -vK <RPM_FILE_NAME>
    The embedded signature is verified and displays OK:
     puppet-agent-1.5.1-1.el6.x86_64.rpm:
         Header V4 RSA/SHA512 Signature, key ID EF8D349F: OK
         Header SHA1 digest: OK (95b492a1fff452d029aaeb59598f1c78dbfee0c5)
         V4 RSA/SHA512 Signature, key ID EF8D349F: OK
         MD5 digest: OK (4878909ccdd0af24fa9909790dd63a12)

Verify a macOS puppet-agent package

puppet-agent packages for macOS are signed with a developer ID and certificate. You can verify the package signature using the pkgutil tool or the installer.

Use one of these methods to verify the package signature:
  • Download and mount the puppet-agent disk image, and then use the pkgutil tool to check the package's signature:
    /usr/bin/hdiutil attach puppet-agent-<AGENT-VERSION>-1.osx10.15.dmg
    ...
    pkgutil --check-signature /Volumes/puppet-agent-<AGENT-VERSION>-1.osx10.15/puppet-agent-<AGENT-VERSION>-1-installer.pkg
    The tool confirms the signature and outputs fingerprints for each certificate in the chain:
    Package "puppet-agent-<AGENT-VERSION>-1-installer.pkg":
       Status: signed by a developer certificate issued by Apple for distribution
       Certificate Chain:
        1. Developer ID Installer: PUPPET LABS, INC. (VKGLGN2B6Y)
           SHA256 Fingerprint:
               F9 6D CA EF 1B D8 FF 30 1D 25 67 54 90 CF 7F C3 BF 39 91 50 A6 02
               65 FA B2 19 4B 1E 2A B6 D1 9E
           ------------------------------------------------------------------------
        2. Developer ID Certification Authority
           SHA256 Fingerprint:
               7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03
               F2 9C 88 CF B0 B1 BA 63 58 7F
           ------------------------------------------------------------------------
        3. Apple Root CA
           SHA256 Fingerprint:
               B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
               68 C5 BE 91 B5 A1 10 01 F0 24
  • When you install the package, click the lock icon in the top right corner of the installer.

    The installer displays details about the package's certificate.