SearchEvery stable DEB and RPM package published by Varnish Software is signed at two levels:
.deb and .rpm is signed with one of the Varnish Software keys documented below.Customers who want to verify individual package files need to import the appropriate signing key.
73549056)4096R/735490566B8B CB11 4EC8 360B 78D2 B9C1 6FC7 24BF 7354 9056Signs packages: varnish-plus, varnish-plus-akamai-connector, varnish-plus-dev, varnish-plus-devel, varnish-plus-deviceatlas, varnish-plus-deviceatlas3, varnish-plus-ha, varnish-plus-selinux, varnish-plus-vmods-extra
4DEDD721)2048R/4DEDD7217877 98C0 22A6 CE30 F148 7292 2E7D ED34 4DED D721Signs packages: varnish-broadcaster, varnish-controller-agent, varnish-controller-api-gw, varnish-controller-brainz, varnish-controller-cli, varnish-controller-nats, varnish-controller-router, varnish-controller-ui, varnish-custom-statistics, varnish-custom-statistics-agent, varnish-otel, varnish-plus-addon-ssl, varnish-plus-discovery, varnish-plus-waf
| Package | Signing key |
|---|---|
varnish-plus |
73549056 |
varnish-plus-akamai-connector |
73549056 |
varnish-plus-dev |
73549056 |
varnish-plus-devel |
73549056 |
varnish-plus-deviceatlas |
73549056 |
varnish-plus-deviceatlas3 |
73549056 |
varnish-plus-ha |
73549056 |
varnish-plus-selinux |
73549056 |
varnish-plus-vmods-extra |
73549056 |
varnish-broadcaster |
4DEDD721 |
varnish-controller-agent |
4DEDD721 |
varnish-controller-api-gw |
4DEDD721 |
varnish-controller-brainz |
4DEDD721 |
varnish-controller-cli |
4DEDD721 |
varnish-controller-nats |
4DEDD721 |
varnish-controller-router |
4DEDD721 |
varnish-controller-ui |
4DEDD721 |
varnish-custom-statistics |
4DEDD721 |
varnish-custom-statistics-agent |
4DEDD721 |
varnish-otel |
4DEDD721 |
varnish-plus-addon-ssl |
4DEDD721 |
varnish-plus-discovery |
4DEDD721 |
varnish-plus-waf |
4DEDD721 |
Import the signing keys and verify a downloaded package:
# Import both signing keys
rpm --import https://docs.varnish-software.com/keys/varnish-plus.gpg
rpm --import https://docs.varnish-software.com/keys/varnish-enterprise.gpg
# Verify a downloaded package
rpm --checksig <package>.rpm
# Expected output: <package>.rpm: digests signatures OK
dnf/yum can be configured to verify package signatures automatically on every install by setting gpgcheck=1 in the repository configuration and listing both signing keys above under gpgkey=. This is not enabled by default in the installation instructions.
On DEB-based systems, apt automatically verifies repository metadata signatures using the packagecloud repository key installed during repository setup (see the installation instructions). This ensures that the package index has not been tampered with.
Individual .deb file verification can be done with gpg directly:
# Import both signing keys
curl -fsSL https://docs.varnish-software.com/keys/varnish-plus.gpg | gpg --import
curl -fsSL https://docs.varnish-software.com/keys/varnish-enterprise.gpg | gpg --import
# Extract and verify the signature from a .deb
ar p <package>.deb _gpgorigin | gpg --verify - <(ar p <package>.deb debian-binary control.tar.* data.tar.*)
The following keys are no longer used to sign any current packages:
| Key ID | UID | Status |
|---|---|---|
8F2D409F |
Jenkins auto-signer <sysadmin@varnish-software.com> | Retired (not used in any current package signature) |
FF2C9E2F |
Varnish Software Automatic Signing Key <sysadmin@varnish-software.com> | Retired (not used in any current package signature) |
C4DEFFEB |
varnish-cache.org repository key <sysadmin@varnish-software.com> | Expired 2020-09-05 |