Manually verify packages

We've updated our documentation to remove harmful terminology.

Puppet signs most of its packages, Ruby gems, and release tarballs with GNU Privacy Guard (GPG). This signature proves that the packages originate from Puppet and have not been compromised. Security-conscious users can use GPG to verify package signatures.

Certain operating systems and installation methods automatically verify package signatures. In these cases, you don’t need to do anything to verify the package signature.
  • If you install from the Puppet Yum and Apt repositories, the release package that enables the repository also installs our release signing key. The Yum and Apt tools automatically verify the integrity of packages as you install them.

  • If you install a Windows agent using an .msi package, the Windows installer automatically verifies the signature before installing the package.

How helpful was this page?

If you leave us your email, we may contact you regarding your feedback. For more information on how Puppet uses your personal information, see our privacy policy.

Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.