Validate software

To help protect IT infrastructures, you can validate software packages that you download to ensure that they are free of tampering. You can also validate digital signatures that are applied to software packages.

Validate download integrity

Software validation involves the provision of a separate file that helps to confirm that the downloaded file matches the file on the download portal. Typically, a cryptographic protocol such as SHA-512 is used.

P4 DAM

When installing packages on Linux, configure the Perforce repository with a signing key. Follow the instructions in Configure the Perforce repository.

TeamHub

You must add the Perforce packaging key to your keyring and configure the Perforce repository before installing TeamHub from the Perforce repository. Follow the instructions in Configure the Perforce repository.

P4 Search

When you download a package on an Ubuntu Linux or Red Hat Enterprise Linux operating system, you must import the Perforce package signing key. See Install P4 Search.

For Windows, the SHA-512 algorithm can be found at Helix Search Downloads.

Also, synced files from P4 are verified by using the Remote Procedure Call (RPC) protocol with an MD5 hash stored in P4.

Validate digital signatures

Digitally signing software involves the use of cryptographic keys, where the private key is used to sign the software package, and the public key is used to validate the signature. The process helps to ensure that the software was not altered since it was signed and comes from a trusted source.

P4 DAM and TeamHub

Perforce digitally signs all APT and YUM packages before release. The following command imports the GNU Privacy Guard (GPG) key used by Perforce to sign its packages, helping to ensure that downloaded packages are verified and trusted.

  • YUM repositories

    sudo rpm --import https://package.perforce.com/perforce.pubkey

  • APT repositories

    wget -qO - https://package.perforce.com/perforce.pubkey | sudo apt-key add -

For more information, see Perforce packages.

TeamHub command-line interfaces are signed in the same way as the P4 DAM and TeamHub web interfaces.

P4 Search

P4 extensions are signed during build and publish process. P4 Search RPM packages are signed at build and Debian packages are hosted in a signed repo. See Perforce packages.