Venafi digitally signs its installation files (e.g. Microsoft MSI and Linux RPM) to prevent tampering. Digitally signed install files provide a secure method for customers to verify that the software they install is from Venafi and that it has not been modified by another party.
Digital signatures are based on digital certificates and help to establish the following security measures:
- Authenticity
- Integrity
- Non-repudiation
IMPORTANT! Before installing any software from Venafi, always check the signature of the installation files before running the installer.
Show the rpm had a signature (After being extracted from tarball)
rpm -qip venafi-agent-17.4.0-linux-i386.rpm
Import Venafi RPM signing public key into rpm key database. Public key would be downloaded from Venafi KB site
rpm --import RPM-GPG-KEY-venafi (not sure of name, Silvana or Mark Miller)
Verify rpm that came from Venafi FTP site rpm tar ball (After public key imported into RPM key DB)
tar zxvf venafi-agent-17.4.0-linux-x86_64.rpm.tar.gz
rpm --checksig venafi-agent-17.4.0-linux-i386.rpm
venafi-agent-17.4.0-linux-i386.rpm: rsa sha1 (md5) pgp md5 OK
Verify rpm verbose (After public key imported into RPM key DB)
rpm -Kv venafi-agent-17.4.0-linux-i386.rpm
venafi-agent-17.4.0-linux-i386.rpm:
Header V4 RSA/SHA1 Signature, key ID 5158b563: OK
Header SHA1 digest: OK (884fa6e54ccf1540ffa77b4c48069e185b909b0c)
V4 RSA/SHA1 Signature, key ID 5158b563: OK
MD5 digest: OK (be6fa2786255d9df83b1b93e0d2c7c57)
Background information, not something to document, just an fyi:
List all rpm related keys
rpm -qa gpg-pubkey*
gpg-pubkey-5158b563-5a0ba0b9
gpg-pubkey-f4a80eb5-53a7ff4b
gpg-pubkey-352c64e5-52ae6884
Query key info (Last imported is top of list)
rpm -qi gpg-pubkey-5158b563-5a0ba0b9
Name : gpg-pubkey
Version : 5158b563
Release : 5a0ba0b9
Architecture: (none)
Install Date: Wed Nov 15 05:53:53 2017
Group : Public Keys
Size : 0
License : pubkey
Signature : (none)
Source RPM : (none)
Build Date : Tue Nov 14 19:04:41 2017
Build Host : localhost
Relocations : (not relocatable)
Packager : Venafi Inc. (RPM Signing) <silvana.ilieva@venafi.com>
Summary : gpg(Venafi Inc. (RPM Signing) <silvana.ilieva@venafi.com>)
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
…..
Verify rpm verbose
rpm -Kv venafi-agent-17.4.0-linux-i386.rpm
venafi-agent-17.4.0-linux-i386.rpm:
Header V4 RSA/SHA1 Signature, key ID 5158b563: OK
Header SHA1 digest: OK (884fa6e54ccf1540ffa77b4c48069e185b909b0c)
V4 RSA/SHA1 Signature, key ID 5158b563: OK
MD5 digest: OK (be6fa2786255d9df83b1b93e0d2c7c57)
Query rpm package, note ‘Signature:’ value
rpm -qip venafi-agent-17.4.0-linux-i386.rpm
Name : vagent
Version : 17.4
Release : 0
Architecture: i386
Install Date: (not installed)
Group : System Environment/Base
Size : 5488802
License : Venafi, Inc
Signature : RSA/SHA1, Tue Nov 14 19:11:57 2017, Key ID 2f6179f05158b563
Source RPM : vagent-17.4-0.src.rpm
Build Date : Sun Nov 12 22:06:38 2017
Build Host : SecureSlave08
Relocations : (not relocatable)
Packager : Patrick Campbell <patrick.campbell@venafi.com>
Vendor : Venafi, Inc
URL : http://venafi.com/
Summary : Venafi Encryption Director Agent
Description :
The Director Agent is a client/server service that allows you to discover
encryption assets on any supported system in your network. Currently, the
Director Agent discovers Certificate and SSH assest. Discovered SSH assets
can be managed from the VED platform.
Verify rpm without the key installed
Remove the key: rpm -e --allmatches gpg-pubkey-5158b563-5a0ba0b9
rpm -K venafi-agent-17.4.0-linux-i386.rpm
venafi-agent-17.4.0-linux-i386.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#5158b563)
rpm -K --nosignature venafi-agent-17.4.0-linux-i386.rpm
venafi-agent-17.4.0-linux-i386.rpm: sha1 md5 OK
Query RPM that was not signed, note ‘Signature:’ value
rpm -qip venafi-agent-18.1.0-linux-x86_64.rpm
Name : vagent
Version : 18.1
Release : 0
Architecture: x86_64
Install Date: (not installed)
Group : System Environment/Base
Size : 10865271
License : Venafi, Inc
Signature : (none)
Source RPM : vagent-18.1-0.src.rpm
Build Date : Mon Nov 13 05:55:23 2017
Build Host : localhost
Relocations : (not relocatable)
Packager : Patrick Campbell <patrick.campbell@venafi.com>
Vendor : Venafi, Inc
URL : http://venafi.com/
Summary : Venafi Encryption Director Agent
Description :
The Director Agent is a client/server service that allows you to discover
encryption assets on any supported system in your network. Currently, the
Director Agent discovers Certificate and SSH assest. Discovered SSH assets
can be managed from the VED platform.
Comments