Trusting Venafi's public key¶
If you've not already trusted Venafi's public key, you'll receive a warning during deployment when you verify the VSatellite installer. You can avoid that warning by manually trusting Venafi's public key before you begin deployment.
This step is optional, but recommended.
Download and import Venafi's key¶
-
Download Venafi's public key.
curl -O https://dl.venafi.cloud/vaaskey.pub
-
Import the key into your GPG keyring.
gpg --import ./vaaskey.pub
-
Set Ownertrust for Venafi, Inc. to Ultimate.
echo -e "trust\n5\ny\n" | gpg --no-tty --command-fd 0 --edit-key "gpg-vaas@venafi.com"
-
Verify the key in your keyring.
gpg --list-keys
The result should look similar to the following:
/home/edge/.gnupg/pubring.kbx ----------------------------- pub rsa4096 2022-03-18 [SCEA] BA2F4B4442D945F0A2810A686B99EC1CEEE83892 uid [ultimate] Venafi, Inc. <gpg-vaas@venafi.com> sub rsa2048 2022-03-22 [A] sub rsa2048 2022-03-22 [E]
What's next¶
Now that you've trusted Venafi's public key, you'll be able to verify the VSatellite installer download when you deploy VSatellites.
If you want to download the VSatellite installer and the VSatellite signature file, you can use the following:
curl -O https://dl.venafi.cloud/vsatctl && \
curl -O https://dl.venafi.cloud/vsatctl.sig
Verifying VSatellite after download¶
After you have downloaded the VSatellite installer and the VSatellite signature file as part of the deploying VSatellite steps, you can verify by running the following:
gpg --verify vsatctl.sig vsatctl
The result should look similar to the following:
gpg: Signature made Thu Jul 27 06:37:24 2023 UTC
gpg: using RSA key BA2F4B4442D945F0A2810A686B99EC1CEEE83892
gpg: issuer "gpg-vaas@venafi.com"
gpg: Good signature from "Venafi, Inc. <gpg-vaas@venafi.com>" [ultimate]