https://www.rabbitmq.com/signatures.html
Signatures
This page describes the signing process we use when building RabbitMQ release packages, and how to verify the signatures on packages you download.
When we build package archive files, both binary and source, we digitally sign them using GnuPG and our public signing key.
Importing the signing key
First, you need to import our gpg key. You can do that using SKS Keyservers Pool:
gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys 0x6B73A36E6026DFCA
or you can download the key directly from Bintray:
wget https://dl.bintray.com/rabbitmq/Keys/rabbitmq-release-signing-key.asc
gpg --import rabbitmq-release-signing-key.asc
or download the key from rabbitmq.com:
wget https://www.rabbitmq.com/rabbitmq-release-signing-key.asc
gpg --import rabbitmq-release-signing-key.asc
For installation via Debian (apt) repositories, use apt-key:
apt-key adv --keyserver hkps.pool.sks-keyservers.net --recv-keys 0x6B73A36E6026DFCA
Checking signatures
Now you should be able to check signatures for our packages. The appropriate command for checking a detached signature is
gpg --verify filename.asc filename
Here’s an example session, after having retrieved a RabbitMQ source archive and its associated detached signature from the download area:
gpg --verify rabbitmq-server_3.6.2-1_all.deb.asc rabbitmq-server_3.6.2-1_all.deb
gpg: Signature made Thu 12 May 2016 11:18:49 AM BST
gpg: using RSA key 0xEDF4AE3B59B046FA
gpg: using subkey 0xEDF4AE3B59B046FA instead of primary key 0x6B73A36E6026DFCA
gpg: using PGP trust model
gpg: Good signature from “RabbitMQ Signing Key [email protected]” [full]
Primary key fingerprint: 4E30 C634 2FB4 AF5C 6334 2330 79A1 D640 D80A 61F0
Subkey fingerprint: 5EC4 26E8 A6F3 523D D924 8FC8 EDF4 AE3B 59B0 46FA
gpg: binary signature, digest algorithm SHA512
If the signature is invalid, you will see a “BAD signature” message, and you should not use the package.
If the signature is valid, you should expect a “Good signature” message; if you’ve not signed our key, you will see a “Good signature” message along with a warning about our key being untrusted.
If you trust our key, you can avoid the warning output by GnuPG by signing it using your own key (to create your private key run gpg --gen-key):
gpg --sign-key 0x6B73A36E6026DFCA
Getting Help and Providing Feedback
If you have questions about the contents of this guide or any other topic related to RabbitMQ, don’t hesitate to ask them on the RabbitMQ mailing list.
Help Us Improve the Docs ❤️
If you’d like to contribute an improvement to the site, its source is available on GitHub. Simply fork the repository and submit a pull request. Thank you!