Resources

How to verify signatures for downloadable artifacts

PGP

Download our PGP key using the link below and import it.

If you’re using gpg, you just need to run:

gpg --import /path/to/key

You can then verify the signature by downloading it into the same directory where you downloaded the tarball, and running:

gpg --verify /path/to/signature /path/to/tarball

It should show a good signature signed by opensearch@amazon.com.

Our current PGP key fingerprint is C5B7 4989 65EF D1C2 924B A9D5 39D3 1987 9310 D3FC

Get our PGP Key

Note: If you see “gpg: Note: This key has expired!” as originally noted in Issue 2040, please download the newest key. See change log for dates.

JarSigner

Only the JDBC driver is signed with JarSigner. To verify signature run in the terminal:

jarsigner -verify -verbose <path_to_jar>

Windows

ODBC driver .msi can be verified by a few different methods.

Verify signature in PowerShell version > 5.1:

Get-AuthenticodeSignature -FilePath <path_to_msi>

Verify signature using SigCheck:

Verify signature using SignTool:

Signature Fingerprint:

2DA2 DC02 8EE6 42CD 77C4 BA04 F289 1F24 7831 2C29

CodeSign

Signature of ODBC driver installer for MacOS could be verified using pgkutil.

To verify signature run in the terminal:

pkgutil --verbose --check-signature <path_to_pkg>

Certificate Fingerprint:

49 68 39 4A BA 83 3B F0 CC 5E 98 3B E7 C1 72 AC 85 97 65 18 B9 4C BA 34 62 BF E9 23 76 98 C5 DA

Change Log

Date Issue Created Expires
2022-05-11 Issue 2040 2022-05-12 2023-05-12
2023-05-04 Issue 2136 2023-05-03 2024-05-12
2023-06-21 Issue 97 2023-04-13 2031-11-09
2023-07-17 Issue 3633 2023-07-05 2027-06-28