signature=e846645e11cd9f0d25581160e526fd29,MySQL :: MySQL Installation Guide :: 2.4.2 Signature Chec...

2.4.2 Signature Checking Using GnuPG

Another method of verifying the integrity and authenticity of a

package is to use cryptographic signatures. This is more

reliable than using MD5

checksums, but requires more work.

We sign MySQL downloadable packages with

GnuPG (GNU Privacy Guard).

GnuPG is an Open Source alternative to the

well-known Pretty Good Privacy (PGP) by Phil

Zimmermann. Most Linux distributions ship with

GnuPG installed by default. Otherwise, see

http://www.gnupg.org/ for more information about

GnuPG and how to obtain and install it.

To verify the signature for a specific package, you first need

to obtain a copy of our public GPG build key, which you can

download from http://pgp.mit.edu/. The key that

you want to obtain is named

mysql-build@oss.oracle.com. Alternatively,

you can copy and paste the key directly from the following text:

To import the build key into your personal public GPG keyring,

use gpg --import. For example, if you have

saved the key in a file named

mysql_pubkey.asc, the import command looks

like this:

You can also download the key from the public keyserver using

the public key id, 5072E1F5:

If you want to import the key into your RPM configuration to

validate RPM install packages, you should be able to import the

key directly:

If you experience problems or require RPM specific information,

see Section 2.4.4, “Signature Checking Using RPM”.

After you have downloaded and imported the public build key,

download your desired MySQL package and the corresponding

signature, which also is available from the download page. The

signature file has the same name as the distribution file with

an .asc extension, as shown by the examples

in the following table.

Table 2.1 MySQL Package and Signature Files for Source files

File Type

File NameDistribution file

mysql-standard-8.0.25-linux-i686.tar.gz

Signature file

mysql-standard-8.0.25-linux-i686.tar.gz.asc

Make sure that both files are stored in the same directory and

then run the following command to verify the signature for the

distribution file:

If the downloaded package is valid, you should see a

Good signature message similar to this:

The Good signature message indicates that the

file signature is valid, when compared to the signature listed

on our site. But you might also see warnings, like so:

That is normal, as they depend on your setup and configuration.

Here are explanations for these warnings:

gpg: no ultimately trusted keys found:

This means that the specific key is not "ultimately trusted"

by you or your web of trust, which is okay for the purposes

of verifying file signatures.

WARNING: This key is not certified with a trusted

signature! There is no indication that the signature belongs

to the owner.: This refers to your level of trust

in your belief that you possess our real public key. This is

a personal decision. Ideally, a MySQL developer would hand

you the key in person, but more commonly, you downloaded it.

Was the download tampered with? Probably not, but this

decision is up to you. Setting up a web of trust is one

method for trusting them.

See the GPG documentation for more information on how to work

with public keys.