How to verify signatures for downloadable artifacts
PGP
Download our PGP key using the link below and import it.
If you’re using gpg, you just need to run:
gpg --import /path/to/key
You can then verify the signature by downloading it into the same directory where you downloaded the tarball, and running:
gpg --verify /path/to/signature /path/to/tarball
It should show a good signature signed by opensearch@amazon.com.
Our current PGP key fingerprint is C5B7 4989 65EF D1C2 924B A9D5 39D3 1987 9310 D3FC
Note: If you see “gpg: Note: This key has expired!” as originally noted in Issue 2040, please download the newest key. See change log for dates.
JarSigner
Only the JDBC driver is signed with JarSigner. To verify signature run in the terminal:
jarsigner -verify -verbose <path_to_jar>
Windows
ODBC driver .msi can be verified by a few different methods.
Verify signature in PowerShell version > 5.1:
Get-AuthenticodeSignature -FilePath <path_to_msi>
Verify signature using SigCheck:
- Download SigCheck
Verify signature using SignTool:
- Download SignTool
Signature Fingerprint:
2DA2 DC02 8EE6 42CD 77C4 BA04 F289 1F24 7831 2C29
CodeSign
Signature of ODBC driver installer for MacOS could be verified using pgkutil.
To verify signature run in the terminal:
pkgutil --verbose --check-signature <path_to_pkg>
Certificate Fingerprint:
49 68 39 4A BA 83 3B F0 CC 5E 98 3B E7 C1 72 AC 85 97 65 18 B9 4C BA 34 62 BF E9 23 76 98 C5 DA
Change Log
| Date | Issue | Created | Expires |
|---|---|---|---|
| 2022-05-11 | Issue 2040 | 2022-05-12 | 2023-05-12 |
| 2023-05-04 | Issue 2136 | 2023-05-03 | 2024-05-12 |
| 2023-06-21 | Issue 97 | 2023-04-13 | 2031-11-09 |
| 2023-07-17 | Issue 3633 | 2023-07-05 | 2027-06-28 |