Verify Release Signatures

Verifying signatures of Pritunl releases

Pritunl has a PGP Signing Key securely stored on a YubiKey used for signing some published files. Anytime a file includes a .sig it is done using this key. Currently this includes the Pritunl Client, Pritunl Cloud Builder and all the published Pritunl Cloud instance images. Pritunl Cloud includes this public key and will automatically verify the instance images. For verifying other downloads the commands below will import the public PGP key and verify a file. The command should return a good signature made from RSA key CB5517234EC6B1F97A2749690ADB523E055C08A4.

# Pritunl Signing Key ID CB5517234EC6B1F97A2749690ADB523E055C08A4
curl https://raw.githubusercontent.com/pritunl/pgp/master/pritunl_pub.asc | gpg --import
gpg --verify filename.sig filename

An additional Repository PGP Signing Key is used for the published repositories. The Linux package managers will automatically verify packages installed from this repository using the public key. This key can be imported from a keyserver as shown in the repository documentation or by running the commands below.

# Pritunl Repository Signing Key ID 7568D9BB55FF9E5287D586017AE645C0CF8E292A
# RPM Systems
sudo rpm --import https://raw.githubusercontent.com/pritunl/pgp/master/pritunl_repo_pub.asc
# APT Systems
curl https://raw.githubusercontent.com/pritunl/pgp/master/pritunl_repo_pub.asc | sudo apt-key add -