Venafi digitally signs its installation files (e.g. Microsoft MSI and Linux RPM) to prevent tampering. Digitally signed install files provide a secure method for customers to verify that the software they install is from Venafi and that it has not been modified by another party.
Digital signatures are based on digital certificates and help to establish the following security measures:
IMPORTANT! Before installing any software from Venafi, always check the signature of the installation files before running the installer.
To verify installation files on supported platforms
- Right-click on a Venafi MSI file and click Properties.
- In the Properties dialog box, click the Digital Signatures tab.
- From the Signature list, locate and click Venafi, Inc., and then click Details.
- In the Digital Signature Details box, carefully review the signer information and certificate details to ensure that the certificate is authentic and belongs to Venafi, Inc.
You can verify the digital signature of an extracted RPM file using one or more of the following commands. They are listed in order of a simpler to a more complex verification.
- To quickly verify that the RPM file you extracted from a Venafi tarball, run the following command; this simply lets you know that the RPM file was signed but does not provide the level of detail offered by the other commands listed below.
rpm -qip venafi-agent-17.4.0-linux-i386.rpm
- If you want to perform a more thorough verification of an RPM file from Venafi, then you must import the Venafi RPM signing public key into your RPM key database.
NOTE: Before running this command, you must first download the public key from the Venafi support site.
- To perform a general signature verification showing that an RPM came from a tarball downloaded from the Venafi FTP site, use the following command.
NOTE: You must run the previous command first (
rpm --import) so that the public key is already imported into your RPM key database.
tar zxvf venafi-agent-17.4.0-linux-x86_64.rpm.tar.gz
rpm --import rpm-gpg-key-venafi.pub
rpm --checksig venafi-agent-17.4.0-linux-i386.rpm
venafi-agent-17.4.0-linux-i386.rpm: rsa sha1 (md5) pgp md5 OK
- To perform the most thorough verification, run the following command.
NOTE: As with the previous command, you must run the
rpm --importcommand first so that the public key is already imported into your RPM key database.
rpm -Kv venafi-agent-17.4.0-linux-i386.rpm
Header V4 RSA/SHA1 Signature, key ID 5158b563: OK
Header SHA1 digest: OK (884fa6e54ccf1540ffa77b4c48069e185b909b0c)
V4 RSA/SHA1 Signature, key ID 5158b563: OK
MD5 digest: OK (be6fa2786255d9df83b1b93e0d2c7c57)