Cryptographic verification of installation files
We digitally sign various files with our GPG key so that you can check whether they're legit, i.e. whether they really came from Phusion and haven't been tampered with by a third party. We apply signing since the open source version 4.0.0 RC 4, or the Enterprise version 4.0.0 RC 1.
Table of contents
Importing the Phusion Software Signing key
Phusion's GPG key for signing software is as follows:
Phusion Software Signing (email@example.com)
Short key ID: 0x0A212A8C
Long key ID: 0x2AC745A50A212A8C
Fingerprint: D5F0 8514 2693 9232 F437 AB72 2AC7 45A5 0A21 2A8C
gpg --keyserver hkps://hkps.pool.sks-keyservers.net --search-keys 0x2AC745A50A212A8C
gpg --keyserver hkp://keyserver.ubuntu.com:80 --search-keys 0x2AC745A50A212A8C
The Phusion Software Signing key is only used for signing software. It's never used for signing emails or for encrypting files, so please be suspicious if you encounter usage of this key outside the context of signing software, and alert us at firstname.lastname@example.org. Include "notspam" in the message to bypass our spam filter.
Verifying the Phusion Software Signing key
The Phusion Software Signing key is also signed by the Phusion founders. Their keys are as follows:
Hongli Lai (email@example.com)
Short key ID: 8C59158F
Long key ID: CD70085E8C59158F
Fingerprint: 218A 7255 83D0 2ECE F3A9 C2A7 CD70 085E 8C59 158F
Ninh Bui (firstname.lastname@example.org)
Short key ID: 69481265
Long key ID: AE405F7869481265
Fingerprint: A77C 9CEF 766D 0E7D A95B 8778 AE40 5F78 6948 1265
Both keys are stored at both sks-keyservers.net and keyserver.ubuntu.com. Import them with:
gpg --keyserver hkps://hkps.pool.sks-keyservers.net --search-keys 0xCD70085E8C59158F gpg --keyserver hkps://hkps.pool.sks-keyservers.net --search-keys 0xAE405F7869481265
gpg --keyserver hkp://keyserver.ubuntu.com:80 --search-keys 0xCD70085E8C59158F gpg --keyserver hkp://keyserver.ubuntu.com:80 --search-keys 0xAE405F7869481265
Verifying the gem and tarball
You can find the open source version's gem and tarball GPG signatures at https://www.phusionpassenger.com/file_releases. The Enterprise version's GPG signatures can be found in the Customer Area. All signatures have the '.asc' extension. Once you have imported our key, you can verify the validity of a file against its signature as follows:
$ gpg --verify passenger-x.x.x.tar.gz.asc passenger-x.x.x.tar.gz gpg: Signature made Mon Mar 11 09:45:46 2013 CET using RSA key ID 0A212A8C gpg: Good signature from "Phusion Software Signing <email@example.com>"
Verifying Git signatures
Tags in the Git repository for the open source version are also tagged. You can verify a Git tag as follows:
$ git tag --verify release-x.x.x object d886f34b5705e4314feccaf0d77b9a38416e15e0 type commit tag release-4.0.0.rc5 tagger Hongli Lai (Phusion) <firstname.lastname@example.org> 1362993117 +0100 This is a tag message. gpg: Signature made Mon Mar 11 10:12:02 2013 CET using RSA key ID 0A212A8C gpg: Good signature from "Phusion Software Signing <email@example.com>"
Verifying Debian packages
Verifying RPM packages
Our YUM repository is signed by PackageCloud (firstname.lastname@example.org). PackageCloud is the RPM package hosting service that we use. You can find their key here. Packages are automatically checked upon installation.
In the event our key is compromised, we will revoke the key and upload the revocation information to sks-keyservers.net and keyserver.ubuntu.com. However your system will not know about the revocation until you update the keys from the keyservers. You should update your keys regularly (e.g. once a week) by invoking:
gpg --refresh-keys --keyserver hkps://hkps.pool.sks-keyservers.net
gpg --refresh-keys --keyserver hkp://keyserver.ubuntu.com:80
If you installed Passenger through our APT repository, then you should update APT's keyring from time to time as well:
sudo apt-key adv --refresh-keys --keyserver hkp://keyserver.ubuntu.com:80