Validation of Linux Installers

GPG signature files are bundled in Deadline installer packages. You can use a public key to verify that the Linux installer files are original and unmodified.

To verify the Deadline installers on a Linux machine, you need to go through the following steps.

  1. Download the public key.

  2. Import the public key into your keyring:

    >>> gpg --import public.key
gpg: /path/to/.gnupg/trustdb.gpg: trustdb created
gpg: key B7FA23BC: public key "Thinkbox Software Inc. <thinkbox-sales@amazon.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1 (RSA: 1)

    Make a note of the key value, as you need it in the next step. In the preceding example, the key value is B7FA23BC.

  3. Verify the fingerprint by running the following command, replacing key-value with the value from the preceding step:

    >>> gpg --fingerprint key-value
pub 4096R/B7FA23BC 2022-11-27 [expires: 2022-11-27]
    Key fingerprint = 5231 767E 2C7C 9008 7144 7EBB 9357 3A69 B7FA 23BC
uid                Thinkbox Software Inc. <thinkbox-sales@amazon.com>

    The fingerprint string should be equal to the following:

    5231 767E 2C7C 9008 7144 7EBB 9357 3A69 B7FA 23BC

    If the fingerprint string doesn’t match, don’t install. Contact Thinkbox Support.

    After you have verified the fingerprint, you can use it to verify the signature of the installers.

  4. To verify the signature, run gpg –verify:

    >>> gpg --verify signature-filename installer-filename
gpg: Signature made <timestamp> using RSA key ID B7FA23BC
gpg: Good signature from "Thinkbox Software Inc. <thinkbox-sales@amazon.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key finger print: 5231 767E 2C7C 9008 7144 7EBB 9357 3A69 B7FA 23BC

    If the output includes the phrase BAD signature, check whether you performed the procedure correctly. If you continue to get this response, contact Thinkbox Support and avoid using the downloaded file.

    Note the warning about trust. A key is trusted only if you or someone who you trust has signed it. This doesn’t mean that the signature is invalid, only that you have not verified the public key.