Linux Software Repositories

Linux Package Signing Keys

Google’s Linux packages are signed with GNU Privacy Guard (GPG) keys. Google’s packages will automatically configure your package manager to verify product updates with the public signing key, but you may also install it separately if, for instance, you want to verify the integrity of an initial package download. Follow the instructions below to manually configure your package manager to use the keys.

Key Details

Public Key: https://dl.google.com/linux/linux_signing_key.pub

• Key ID: Google, Inc. (Linux Package Signing Authority) <linux-packages-keymaster@google.com>
  Fingerprint: EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796
  Status: Active (Primary)
• Key ID: Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
  Fingerprint: 4CCA 1EAF 950C EE4A B839 76DC A040 830F 7FAC 5991
  Status: Obsolete

Manual key installation for APT-based systems (Debian, Ubuntu, etc.)

Most package files you download and install from Google will automatically configure apt to trust this public key. However, if you experience any trouble with the keys, you can manually configure apt to trust the Google Linux package signing public keys globally by writing the public key file to /etc/apt/trusted.gpg.d/ as shown:

wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo tee /etc/apt/trusted.gpg.d/google.asc >/dev/null
# NOTE: On systems with older versions of apt (i.e. versions prior to 1.4), the ASCII-armored
# format public key must be converted to binary format before it can be used by apt.
wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/google.gpg >/dev/null

Recent versions of apt will automatically attempt to verify packages on download. If an appropriate key is not found or if the package is corrupted, you will get a message like the following:

The following signatures couldn't be verified because the public key is not available: NO_PUBKEY

Manual line key installation for RPM-based systems (Fedora, SUSE, Mandriva, RHEL, etc.)

Most package files you download and install from Google will automatically configure rpm to trust this public key. However, if you experience any trouble with the keys, you can manually configure rpm to trust the Google Linux package signing public keys globally by importing the public key file into rpm as shown:

wget https://dl.google.com/linux/linux_signing_key.pub
sudo rpm --import linux_signing_key.pub

NOTE: rpm will silently fail when importing new subkeys to an existing key. See https://github.com/rpm-software-management/rpm/issues/2577 for more details. You can verify the key installation in rpm by running the following:

diff <(gpg --show-keys <(sudo rpm -qi gpg-pubkey-7fac5991-* gpg-pubkey-d38b4796-*) 2> /dev/null) \
     <(gpg --show-keys linux_signing_key.pub) > /dev/null \
     && echo "Import successful" || echo "Import failed"
# The command above should print "Import successful". If it instead prints "Import failed",
# try first removing the old key and retry the import by running the following:
sudo rpm -e gpg-pubkey-7fac5991-* gpg-pubkey-d38b4796-*
sudo rpm --import linux_signing_key.pub

NOTE: From early 2023 onward, all Linux RPM packages are signed with periodically rotated subkeys of the 0xD38B4796 signing key. The 0x7FAC5991 signing key is obsoleted by this change.

To manually verify an RPM package, you can run the command:

rpm --verbose --checksig -v packagename.rpm