How do I verify my downloads from CloudBees?

Issue

You would like to

  • verify your downloads from CloudBees to ensure they haven’t been corrupted in transmission or
    maliciously compromised.
  • to send encrypted email to the CloudBees security team or confirm the validity of a message from them.

Environment

  • CloudBees Jenkins Enterprise

Resolution

Well Known CloudBees GPG Keys

IDNamePurpose
9804F850 security@cloudbees.com Used to send encrypted email or verify received email - CloudBees Security Team
9FF90BDA info@cloudbees.com Code-signing key - CloudBees Software Products

Import GPG Keys

$ gpg --recv-keys C493F3199804F850 38E2F5F39FF90BDA
gpg: requesting key C493F3199804F850 from hkp server keyserver.ubuntu.com
gpg: requesting key 38E2F5F39FF90BDA from hkp server keyserver.ubuntu.com
gpg: key C493F3199804F850: "CloudBees Security Team <security@cloudbees.com>" not changed
gpg: key 38E2F5F39FF90BDA: "CloudBees, Inc. (Code signing) <info@cloudbees.com>" not changed
gpg: Total number processed: 2
gpg:              unchanged: 2

Verify Signatures

You can use the following command to verify the signatures on your software or messages from our security staff.

E.g. if you were provided with a jenkins-3.904.1.zip file and a detached signature file jenkins-3.904.1.zip.sig

$ gpg --verify jenkins-3.904.1.zip.sig jenkins-3.904.1.zip
gpg: Signature made Thu 21 Apr 15:27:18 2016 AEST
gpg:                using RSA key 38E2F5F39FF90BDA
gpg: Good signature from "CloudBees, Inc. (Code signing) <info@cloudbees.com>" [ultimate]
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.