After downloading the MySQL package and before attempting to install it, ensure that the package is intact and has not been tampered with. There are two methods of integrity checking for MySQL Linux Generic Binary packages: MD5 Checksum and Signature Checking Using GnuPG. Signature Checking Using GnuPG is used in this deployment.
MySQL signs its downloadable packages with GnuPG (GNU Privacy Guard). Most Linux distributions ship with GnuPG installed by default. Otherwise, see http://www.gnupg.org/ for more information about GnuPG and how to obtain and install it.
To verify the signature of your MySQL download package, obtain a copy of the MySQL public GPG build key, which you can download from http://pgp.mit.edu/. The key name is
In your browser, navigate to http://pgp.mit.edu/.
In the Search String field, enter the key name,
firstname.lastname@example.org, and click
This search result is returned:
Type bits/keyID Date User ID ----------------------------------------------------------------------------------------------- pub 4096R/3A79BD29 2021-12-14 MySQL Release Engineering <email@example.com> pub 1024D/5072E1F5 2003-02-03 MySQL Release Engineering <firstname.lastname@example.org> MySQL Package signing key (www.mysql.com) <email@example.com>
Click on the
keyIDlink, copy the key, and save it to a file named
mysql_pubkey.asc, for example.
3A79BD29is for MySQL 8.0.28 releases and higher.
5072E1F5is for earlier MySQL releases.
Alternatively, you can copy and paste the key directly from the MySQL Reference Manual. See Signature Checking Using GnuPG.
To import the build key into your personal public GPG keyring, use the gpg --import command. For example, if you saved the key to a file named
mysql_pubkey.asc, the import command looks like this:
$> gpg --import mysql_pubkey.asc gpg: key 5072E1F5: public key "MySQL Release Engineering <firstname.lastname@example.org>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found
After importing the public build key, place the public build key file that you created in the same directory as the
.ascsignature file that was included in the MySQL download package.
The signature file has the same name as the distribution file with an
.ascextension, as shown in the following table.
Table 3.1 MySQL Package and Signature Files for Source files
File Type File Name Distribution file
Run this command to verify the signature for the distribution file:
$> gpg --verify mysql-commercial-8.0.xx-linux-glibc2.12-x86_64.tar.xz.asc
If the downloaded package is valid, the verification returns a "Good signature" message similar to:
$> gpg --verify mysql-commercial-8.0.xx-linux-glibc2.12-x86_64.tar.xz.asc gpg: Signature made Tue 01 Feb 2011 02:38:30 AM CST using DSA key ID 5072E1F5 gpg: Good signature from "MySQL Release Engineering <email@example.com>"
Good signaturemessage indicates that the file signature is valid, but you might also see warnings:
$> gpg --verify mysql-commercial-8.0.xx-linux-glibc2.12-x86_64.tar.xz.asc gpg: Signature made Wed 23 Jan 2013 02:25:45 AM PST using DSA key ID 5072E1F5 gpg: checking the trustdb gpg: no ultimately trusted keys found gpg: Good signature from "MySQL Release Engineering <firstname.lastname@example.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: A4A9 4068 76FC BD3C 4567 70C8 8C71 8D3B 5072 E1F5
To encounter warnings is normal, as they depend on your setup and configuration. Here are explanations for the warnings:
gpg: no ultimately trusted keys found: This means that the specific key is not "ultimately trusted" by you or your web of trust, which is okay for the purposes of verifying file signatures.
WARNING: This key is not certified with a trusted signature! There is no indication that the signature belongs to the owner.: This refers to your level of trust in your belief that you possess our real public key. This is a personal decision. Ideally, a MySQL developer would hand you the key in person, but more commonly, you downloaded it. Was the download tampered with? Probably not, but this decision is up to you. Setting up a web of trust is one method for trusting them.
If the GPG signatures do not match, try to download the respective package one more time.
For additional information about GnuPG signature checking, see Signature Checking Using GnuPG.