We want to have a full chain of trust for our debian packages. Therefore the Suse Open Build Service (OBS) service signs them. We publish the key alongside the repository.

However, one can do better and do the validation right on apt-get install arangodb. Here’s how:

First we will install pgpdump, so we can inspect our key:

We download the key and inspect it:

The next thing to do is to cut’n’paste the key into the submit a key form over at the keyserver. We now want to search the key so we get to know its fingerprint. We search for a unique property from the dump above, home:fceller:version2 is a good choice. We put it into the string search field, and check the Show PGP Fingerprints hook:

Now users can add these keys to their installation using the Fingerprint (without blanks) like this:

and the chain of trust for installing ArangoDB packages is closed, on apt-get install arangodb the package is going to be verified.