2.4.2 Signature Checking Using GnuPG
Another method of verifying the integrity and authenticity of a
package is to use cryptographic signatures. This is more
reliable than using MD5
checksums, but requires more work.
We sign MySQL downloadable packages with
GnuPG (GNU Privacy Guard).
GnuPG is an Open Source alternative to the
well-known Pretty Good Privacy (PGP) by Phil
Zimmermann. Most Linux distributions ship with
GnuPG installed by default. Otherwise, see
http://www.gnupg.org/ for more information about
GnuPG and how to obtain and install it.
To verify the signature for a specific package, you first need
to obtain a copy of our public GPG build key, which you can
download from http://pgp.mit.edu/. The key that
you want to obtain is named
mysql-build@oss.oracle.com. Alternatively,
you can copy and paste the key directly from the following text:
To import the build key into your personal public GPG keyring,
use gpg --import. For example, if you have
saved the key in a file named
mysql_pubkey.asc, the import command looks
like this:
You can also download the key from the public keyserver using
the public key id, 5072E1F5:
If you want to import the key into your RPM configuration to
validate RPM install packages, you should be able to import the
key directly:
If you experience problems or require RPM specific information,
see Section 2.4.4, “Signature Checking Using RPM”.
After you have downloaded and imported the public build key,
download your desired MySQL package and the corresponding
signature, which also is available from the download page. The
signature file has the same name as the distribution file with
an .asc extension, as shown by the examples
in the following table.
Table 2.1 MySQL Package and Signature Files for Source files
File Type
File NameDistribution file
mysql-standard-8.0.25-linux-i686.tar.gz
Signature file
mysql-standard-8.0.25-linux-i686.tar.gz.asc
Make sure that both files are stored in the same directory and
then run the following command to verify the signature for the
distribution file:
If the downloaded package is valid, you should see a
Good signature message similar to this:
The Good signature message indicates that the
file signature is valid, when compared to the signature listed
on our site. But you might also see warnings, like so:
That is normal, as they depend on your setup and configuration.
Here are explanations for these warnings:
gpg: no ultimately trusted keys found:
This means that the specific key is not "ultimately trusted"
by you or your web of trust, which is okay for the purposes
of verifying file signatures.
WARNING: This key is not certified with a trusted
signature! There is no indication that the signature belongs
to the owner.: This refers to your level of trust
in your belief that you possess our real public key. This is
a personal decision. Ideally, a MySQL developer would hand
you the key in person, but more commonly, you downloaded it.
Was the download tampered with? Probably not, but this
decision is up to you. Setting up a web of trust is one
method for trusting them.
See the GPG documentation for more information on how to work
with public keys.