Verifying Packages
Official Trisul package files (RPM and DEB) are signed with a GnuPG key available at https://trisul.org/pubkey.gpg
This page describes how you can verify these package files to ensure
- These are created by Unleash Networks official build systems
- They have not been tampered with
Verifying DEB for Ubuntu 24.04
To verify a deb package you can download the corresponding .asc which contains the signature used to verity.
# Verify with the ASC signature file
gpg --verify trisul-probe-xyz.deb.asc trisul-probe.deb
If all is well you will get a message like this.
gpg: Good signature from "Trisul Networks <support@trisul.org>" [unknown]
Verifying a DEB for older Ubuntu versions
You will be using a package called dpkg-sig to verify the DEBs. Make sure it is installed first.
The steps are :
- Import our public key into your key ring using
gpg --import pubkey.gpg - Verify using
dpkg-sig --verify pkg.deb
A sample verify session would look like below
$ wget https://trisul.org/pubkey.gpg
$ gpg --import pubkey.gpg
gpg: key A6CC1B18: public key "Unleash Networks Support (UNPL) <info@unleashnetworks.com>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
$ gpg --verify webtrisul_7.0.2522-jammy_amd64.deb
Processing trisul_3.0.1316_i386.deb...
gpg: Good signature from "Unleash Networks Support (UNPL) <info@unleashnetworks.com>" [unknown]
Verifying RPMs
We will use the --checksig option to verify
The steps are
- Import our public key
rpm --import https://trisul.org/pubkey.gpg - Verify using
rpm --checksig trisulpackage.rpm
Look for the OK message.
A sample verify session would look like below
$ rpm --import https://trisul.org/pubkey.gpg
$ rpm --checksig webtrisul-7.0.2522-1.el8.x86_64.rpm
webtrisul-7.0.2522-1.el8.x86_64.rpm: digests signatures OK
The RPM verification was successful if you see the OK