Follow

Verifying the signature of the Server Agent Linux RPM

 

Venafi digitally signs its installation files (e.g. Microsoft MSI and Linux RPM) to prevent tampering. Digitally signed install files provide a secure method for customers to verify that the software they install is from Venafi and that it has not been modified by another party.

Digital signatures are based on digital certificates and help to establish the following security measures:

  • Authenticity
  • Integrity
  • Non-repudiation

IMPORTANT! Before installing any software from Venafi, always check the signature of the installation files before running the installer. 

Show the rpm had a signature  (After being extracted from tarball)

rpm -qip venafi-agent-17.4.0-linux-i386.rpm

 

Import Venafi RPM signing public key into rpm key database.  Public key would be downloaded from Venafi KB site

rpm --import RPM-GPG-KEY-venafi   (not sure of name, Silvana or Mark Miller)

 

Verify rpm that came from Venafi FTP site rpm tar ball (After public key imported into RPM key DB)

tar zxvf venafi-agent-17.4.0-linux-x86_64.rpm.tar.gz

rpm --checksig venafi-agent-17.4.0-linux-i386.rpm

venafi-agent-17.4.0-linux-i386.rpm: rsa sha1 (md5) pgp md5 OK

 

Verify rpm verbose (After public key imported into RPM key DB)

rpm -Kv venafi-agent-17.4.0-linux-i386.rpm

venafi-agent-17.4.0-linux-i386.rpm:

    Header V4 RSA/SHA1 Signature, key ID 5158b563: OK

    Header SHA1 digest: OK (884fa6e54ccf1540ffa77b4c48069e185b909b0c)

    V4 RSA/SHA1 Signature, key ID 5158b563: OK

    MD5 digest: OK (be6fa2786255d9df83b1b93e0d2c7c57)

 

 

Background information, not something to document, just an fyi:

 

List all rpm related keys

rpm -qa gpg-pubkey*

gpg-pubkey-5158b563-5a0ba0b9

gpg-pubkey-f4a80eb5-53a7ff4b

gpg-pubkey-352c64e5-52ae6884

 

Query key info (Last imported is top of list)

rpm -qi gpg-pubkey-5158b563-5a0ba0b9

Name        : gpg-pubkey

Version     : 5158b563

Release     : 5a0ba0b9

Architecture: (none)

Install Date: Wed Nov 15 05:53:53 2017

Group       : Public Keys

Size        : 0

License     : pubkey

Signature   : (none)

Source RPM  : (none)

Build Date  : Tue Nov 14 19:04:41 2017

Build Host  : localhost

Relocations : (not relocatable)

Packager    : Venafi Inc. (RPM Signing) <silvana.ilieva@venafi.com>

Summary     : gpg(Venafi Inc. (RPM Signing) <silvana.ilieva@venafi.com>)

Description :

-----BEGIN PGP PUBLIC KEY BLOCK-----

…..

 

Verify rpm verbose

rpm -Kv venafi-agent-17.4.0-linux-i386.rpm

venafi-agent-17.4.0-linux-i386.rpm:

    Header V4 RSA/SHA1 Signature, key ID 5158b563: OK

    Header SHA1 digest: OK (884fa6e54ccf1540ffa77b4c48069e185b909b0c)

    V4 RSA/SHA1 Signature, key ID 5158b563: OK

    MD5 digest: OK (be6fa2786255d9df83b1b93e0d2c7c57)

 

Query rpm package, note ‘Signature:’ value

rpm -qip venafi-agent-17.4.0-linux-i386.rpm

Name        : vagent

Version     : 17.4

Release     : 0

Architecture: i386

Install Date: (not installed)

Group       : System Environment/Base

Size        : 5488802

License     : Venafi, Inc

Signature   : RSA/SHA1, Tue Nov 14 19:11:57 2017, Key ID 2f6179f05158b563

Source RPM  : vagent-17.4-0.src.rpm

Build Date  : Sun Nov 12 22:06:38 2017

Build Host  : SecureSlave08

Relocations : (not relocatable)

Packager    : Patrick Campbell <patrick.campbell@venafi.com>

Vendor      : Venafi, Inc

URL         : http://venafi.com/

Summary     : Venafi Encryption Director Agent

Description :

The Director Agent is a client/server service that allows you to discover

encryption assets on any supported system in your network. Currently, the

Director Agent discovers Certificate and SSH assest. Discovered SSH assets

can be managed from the VED platform.

 

Verify rpm without the key installed

Remove the key: rpm -e --allmatches gpg-pubkey-5158b563-5a0ba0b9

rpm -K venafi-agent-17.4.0-linux-i386.rpm

venafi-agent-17.4.0-linux-i386.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#5158b563)

rpm -K --nosignature  venafi-agent-17.4.0-linux-i386.rpm

venafi-agent-17.4.0-linux-i386.rpm: sha1 md5 OK

 

Query RPM that was not signed, note ‘Signature:’ value

rpm -qip venafi-agent-18.1.0-linux-x86_64.rpm

Name        : vagent

Version     : 18.1

Release     : 0

Architecture: x86_64

Install Date: (not installed)

Group       : System Environment/Base

Size        : 10865271

License     : Venafi, Inc

Signature   : (none)

Source RPM  : vagent-18.1-0.src.rpm

Build Date  : Mon Nov 13 05:55:23 2017

Build Host  : localhost

Relocations : (not relocatable)

Packager    : Patrick Campbell <patrick.campbell@venafi.com>

Vendor      : Venafi, Inc

URL         : http://venafi.com/

Summary     : Venafi Encryption Director Agent

Description :

The Director Agent is a client/server service that allows you to discover

encryption assets on any supported system in your network. Currently, the

Director Agent discovers Certificate and SSH assest. Discovered SSH assets

can be managed from the VED platform.

 

Was this article helpful?
0 out of 0 found this helpful

Comments