MariaDB Enterprise Supply Chain Security
This page is part of MariaDB's MariaDB Documentation.
The parent of this page is: Security
Topics on this page:
During deployment, supply chain security should be taken into account. This page describes some details about supply chain security.
Validating Sums and Signatures
Use cryptographic hash sums and cryptographic signatures to validate the integrity and authenticity of a downloaded file.
Validate SHA256 Sums
To check a known SHA256 cryptographic hash sum against the SHA256 of a file:
$ echo "8dfef0ec98eb03a4455df07b33107a6d4601425c9df0ab5749b8f10bf3abdcbb mariadb_es_repo_setup" \ | sha256sum -c -
Validate Signatures with YUM
To direct YUM (CentOS, RHEL, Rocky Linux) to validate cryptographic signatures, in
/etc/yum.conf and each
.repo file in
/etc/yum.repos.d/ ensure this line DOES appear:
gpgcheck = 1
Validate Signatures with APT
To direct APT (Debian, Ubuntu) to validate cryptographic signatures, ensure
[trusted=yes] DOES NOT appear for any repository listed in the
/etc/apt/sources.list configuration file or listed in the configuration files located in the
The cryptographic sums for trusted repositories are not checked.
To update the cache after changing the repository configuration:
Validate Signatures with ZYpp
To display the list of configured ZYpp repositories, including status of GPG checks for the repository:
To enable GPG checks for a repository:
zypper modifyrepo -g followed by the repository alias or name such as
ZYpp can be globally configured for package validation via the
pkg_gpgcheck in the ZYpp configuration file at: