Issue
You would like to
- verify your downloads from CloudBees to ensure they haven’t been corrupted in transmission or
maliciously compromised. - to send encrypted email to the CloudBees security team or confirm the validity of a message from them.
Environment
- CloudBees Jenkins Enterprise
Resolution
Well Known CloudBees GPG Keys
| ID | Name | Purpose |
|---|---|---|
| 9804F850 | security@cloudbees.com | Used to send encrypted email or verify received email - CloudBees Security Team |
| 9FF90BDA | info@cloudbees.com | Code-signing key - CloudBees Software Products |
Import GPG Keys
$ gpg --recv-keys C493F3199804F850 38E2F5F39FF90BDA
gpg: requesting key C493F3199804F850 from hkp server keyserver.ubuntu.com
gpg: requesting key 38E2F5F39FF90BDA from hkp server keyserver.ubuntu.com
gpg: key C493F3199804F850: "CloudBees Security Team <security@cloudbees.com>" not changed
gpg: key 38E2F5F39FF90BDA: "CloudBees, Inc. (Code signing) <info@cloudbees.com>" not changed
gpg: Total number processed: 2
gpg: unchanged: 2
Verify Signatures
You can use the following command to verify the signatures on your software or messages from our security staff.
E.g. if you were provided with a jenkins-3.904.1.zip file and a detached signature file jenkins-3.904.1.zip.sig
$ gpg --verify jenkins-3.904.1.zip.sig jenkins-3.904.1.zip
gpg: Signature made Thu 21 Apr 15:27:18 2016 AEST
gpg: using RSA key 38E2F5F39FF90BDA
gpg: Good signature from "CloudBees, Inc. (Code signing) <info@cloudbees.com>" [ultimate]
0 Comments