Verifying Packages

Quantum Origin distributes binary packages in different forms.

If you have received a signed Debian package, and wish to verify the integrity of our signature, you may use the Quantum Origin Debian signing public key below.

If you require a second point of authority of verify the correctness of this public key, you can contact your Sales representative.

For convenience only, a sample GPG script to import our PGP certificate to enable package verification is provided below.

This requires sudo permissions, please inspect the script prior to execution and ensure suitability for your use-case.

Once you have imported our PGP certificate, you will need to install debsigs, you can then verify a package using debsig-verify, typically

sudo apt install debsigs

> debsig-verify [RelevantDebianPackage.deb]

debsig: Verified package from 'Quantum Origin Package Signing' (Quantum Origin)

PGP_KEY=$(cat <<EOF
-----BEGIN PGP PUBLIC KEY BLOCK-----
​
mQINBGNiecsBEACeIV/oFgtmd/J63VV+7j6jMsiT1hGXrlsG8kl9G+W+QCsxSzHF
FQTwApFex/6oloPdDMF0tldZ/M4YviJnHX5KZQpVp5SZtXuzJs6CUx8P0s6k/QSQ
olA5bmOFaMkRAV5PH9H9ee7pR5DdJCOpsBArHC9LQJXCL+VadWaO1T3fAqG6BX3p
E09kzpe2BvIy15vQTTPvD08V7nrfWD+md0uQn6zA5x83rUj+hKKdvlTty3Q8jrWX
Ky73ZpcKoGdQ1350IHR4rVdybrfsWUNkHweaO28a6N7wl8KNnB0GEucAKCuBzsLt
aHQLpPjDOCrIV8PSxT2oPmWeAL4kTAN54G1XSUsaDLi0TvSScmHmP8tvsFsRsh4o
e35fJXStazM8IJaCwFcWzHinv26f92iyUHm1imS71BY8qmJ0O5E4kfJ8DsmIWJv0
hKhh56gKLwEG+KeR0adToOU0iRAhw0r6du5c4J6LEq4bb4iKLE21wP5i7A3egoga
uguA8GE+qcBoKVoqZm2mF2QHAE7+uEgR65ZDyIKfqZjowsUszgMEM1HB2rCjObiy
9Qgy+NEYtxo3uy3/AGxwNevoUjKWjTBPx0TsBhvfHkoWrEHpXdByDTTu6vzn9xuv
7RmglgKwQEZmKVgXDMrnm0UVyMCNMb13HgUYeirJslDUfwO4OFXeCxCW6QARAQAB
tEhRdWFudGludXVtIEN5YmVyc2VjdXJpdHkgUGFja2FnZSBTaWduaW5nIDxvcmln
aW4tc3VwcG9ydEBxdWFudGludXVtLmNvbT6JAlAEEwEIADoWIQTQ9ZnzD3WSAv1V
beA8Na3S74jYHwUCY2J5ywIbAgYLCQgHAwIHFQoJCAsDAgQWAgMBAh4BAheAAAoJ
EDw1rdLviNgfAZwQAIYNYhT0dntp3fRVpqtIxDmaJE+EjN2Tv3qDbBPb37tmOgpP
AkrcBfXxD4O8pZmKF5BnkcJKvpIiIbyyx0YejtWnRQ/XnaV/jldQ6Ax7ulbfJFcU
sAHVaF/h+O34Q+wUwjEpFpcJqgcyEmtnpzOcsK1kUJFRSjVzUCtPMaErq2V9QqI5
TkbFcB9BKzNB+SSYLgY+Q2BxZNfYr9s2lBt6zru9Zqkc5RLazpI3XSm6ya68Snot
9QREBaBE6sKfjReseamfQwr+0SjlbP3rfsJ9izNKlc86z4pUcMKoQaAQKNI77G0/
k57kSE+NDgk96HcVOte0J+04Dc4mScPhH3yQT0VAReIeNh1J/mzpvjjscr1miQUt
kimtosoSSBU4SvZX1+DTz1Y+eYyN6gr4+3zvB6JnwBRFt6grYn5CgcuaM29JwlCf
JpPnhEcp6SNqCHY3Gmd4EFq7VPoPgRgFnh6vY8nKIla8cMI3buJfz0xo2slKXjqJ
jsqNfgFlsQ4Ck4T4HszkdMLgNkO5S69khD5HdCPTmZYZAXsoAJ+H8xoNyAuDqdad
RiiQAxFYKjfkMr5qxSAQLVi4BU4JFyandVqftAkmCEQkuyHdKzYcQmbRtgWOGnes
COziIcP7e8rcmIkEnAkXLmM4d7V2tO7BegfaNR/8wfJ+nlZZ+b/2CtUgsfv8
=wFf0
-----END PGP PUBLIC KEY BLOCK-----
EOF
)
​
POLICY=$(cat <<EOF
<?xml version="1.0"?>
<!DOCTYPE Policy SYSTEM "https://www.debian.org/debsig/1.0/policy.dtd">
<Policy xmlns="https://www.debian.org/debsig/1.0/">
​
<!-- This is mainly a sanity check, since our filename is that of the ID
    anyway. -->
<Origin Name="Quantum Origin" id="3C35ADD2EF88D81F" Description="Quantum Origin Package Signing"/>
​
<!-- This is required to match in order for this policy to be used. We
    reject the release Type, since we want a different rule set for
    that. -->
<Selection>
    <Required Type="origin" File="debsig.gpg" id="3C35ADD2EF88D81F"/>
</Selection>
​
<!-- Once we decide to use this policy, this must pass in order to verify
    the package. -->
<Verification MinOptional="0">
    <Required Type="origin" File="debsig.gpg" id="3C35ADD2EF88D81F"/>
</Verification>
</Policy>
EOF
)
​
​
set -x
sudo mkdir -p /usr/share/debsig/keyrings/3C35ADD2EF88D81F/
sudo touch /usr/share/debsig/keyrings/3C35ADD2EF88D81F/debsig.gpg
sudo mkdir -p /etc/debsig/policies/3C35ADD2EF88D81F
​
set +x
echo "Importing QO public key..."
echo -n "$PGP_KEY" | sudo gpg --no-default-keyring --keyring /usr/share/debsig/keyrings/3C35ADD2EF88D81F/debsig.gpg --import
echo "Importing QO debsig-verify policy..."
echo -n "$POLICY" | sudo tee /etc/debsig/policies/3C35ADD2EF88D81F/debsig-verify.pol >/dev/null
​
echo "Done"