MySQL Secure Deployment Guide  /  Verifying Package Integrity

Chapter 3 Verifying Package Integrity

After downloading the MySQL package and before attempting to install it, ensure that the package is intact and has not been tampered with. There are two methods of integrity checking for MySQL Linux Generic Binary packages: MD5 Checksum and Signature Checking Using GnuPG. Signature Checking Using GnuPG is used in this deployment.

MySQL signs its downloadable packages with GnuPG (GNU Privacy Guard). Most Linux distributions ship with GnuPG installed by default. Otherwise, see http://www.gnupg.org/ for more information about GnuPG and how to obtain and install it.

  1. To verify the signature of your MySQL download package, obtain a copy of the MySQL public GPG build key, which you can download from http://pgp.mit.edu/. The key name is mysql-build@oss.oracle.com.

    1. In your browser, navigate to http://pgp.mit.edu/.

    2. In the Search String field, enter the key name, mysql-build@oss.oracle.com, and click Do the search!

      This search result is returned:

      Type bits/keyID     Date       User ID
      -----------------------------------------------------------------------------------------------
      pub  4096R/3A79BD29 2021-12-14 MySQL Release Engineering <mysql-build@oss.oracle.com>
      
      pub  1024D/5072E1F5 2003-02-03 MySQL Release Engineering <mysql-build@oss.oracle.com>
                                     MySQL Package signing key (www.mysql.com) <build@mysql.com>
    3. Click on the keyID link, copy the key, and save it to a file named mysql_pubkey.asc, for example. keyID 3A79BD29 is for MySQL 8.0.28 releases and higher. keyID 5072E1F5 is for earlier MySQL releases.

      Alternatively, you can copy and paste the key directly from the MySQL Reference Manual. See Signature Checking Using GnuPG.

  2. To import the build key into your personal public GPG keyring, use the gpg --import command. For example, if you saved the key to a file named mysql_pubkey.asc, the import command looks like this:

    $> gpg --import mysql_pubkey.asc
    gpg: key 5072E1F5: public key "MySQL Release Engineering
    <mysql-build@oss.oracle.com>" imported
    gpg: Total number processed: 1
    gpg:               imported: 1
    gpg: no ultimately trusted keys found
  3. After importing the public build key, place the public build key file that you created in the same directory as the .asc signature file that was included in the MySQL download package.

    The signature file has the same name as the distribution file with an .asc extension, as shown in the following table.

    Table 3.1 MySQL Package and Signature Files for Source files

    File Type File Name
    Distribution file mysql-commercial-8.0.xx-linux-glibc2.12-x86_64.tar.xz
    Signature file mysql-commercial-8.0.xx-linux-glibc2.12-x86_64.tar.xz.asc

  4. Run this command to verify the signature for the distribution file:

    $> gpg --verify mysql-commercial-8.0.xx-linux-glibc2.12-x86_64.tar.xz.asc

    If the downloaded package is valid, the verification returns a "Good signature" message similar to:

    $> gpg --verify mysql-commercial-8.0.xx-linux-glibc2.12-x86_64.tar.xz.asc
    gpg: Signature made Tue 01 Feb 2011 02:38:30 AM CST using DSA key ID 5072E1F5
    gpg: Good signature from "MySQL Release Engineering <mysql-build@oss.oracle.com>"

    The Good signature message indicates that the file signature is valid, but you might also see warnings:

    $> gpg --verify mysql-commercial-8.0.xx-linux-glibc2.12-x86_64.tar.xz.asc
    gpg: Signature made Wed 23 Jan 2013 02:25:45 AM PST using DSA key ID 5072E1F5
    gpg: checking the trustdb
    gpg: no ultimately trusted keys found
    gpg: Good signature from "MySQL Release Engineering <mysql-build@oss.oracle.com>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: A4A9 4068 76FC BD3C 4567  70C8 8C71 8D3B 5072 E1F5

    To encounter warnings is normal, as they depend on your setup and configuration. Here are explanations for the warnings:

    • gpg: no ultimately trusted keys found: This means that the specific key is not "ultimately trusted" by you or your web of trust, which is okay for the purposes of verifying file signatures.

    • WARNING: This key is not certified with a trusted signature! There is no indication that the signature belongs to the owner.: This refers to your level of trust in your belief that you possess our real public key. This is a personal decision. Ideally, a MySQL developer would hand you the key in person, but more commonly, you downloaded it. Was the download tampered with? Probably not, but this decision is up to you. Setting up a web of trust is one method for trusting them.

If the GPG signatures do not match, try to download the respective package one more time.

For additional information about GnuPG signature checking, see Signature Checking Using GnuPG.