With the release of the 2.11.2 Linux sensor, digital-integrity verification of all tar-ball contents is enabled.
Perform the following steps to verify integrity after you unpack the TGZ and before you install the sensor.
Prerequisites
You need two tools that are usually pre-installed on Linux:
- GnuPG package (for /usr/bin/gpg tool)
- SHA256 checksum tool: /usr/bin/sha256sum
In addition, you must download the VMware Carbon Black public key,
public.asc
.
Procedure
- To create a public.asc.gpg file, download the VMware Carbon Black public key as public.asc and then dearmor it.
- To verify the included manifest.sha256 file with the public key, perform the following step. This step creates a trustdb.gpg file, which can be safely ignored.
Note: In the following example output, the "Good signature" line validates the manifest. The WARNING lines can be ignored. The Signature date is the TGZ signing date.
$ gpg --no-default-keyring --homedir . \
--keyring public.asc.gpg \
--verify manifest.sha256.asc manifest.sha256
Example output:
gpg: WARNING: unsafe permissions on homedir '/tmp/cb-psc-install'
gpg: Signature made Wed Jun 9 01:49:05 2021 IST
gpg: using RSA key 485BB0DF6AC57704
gpg: /tmp/cb-psc-install/trustdb.gpg: trustdb created
gpg: Good signature from "bit9build (bit9cs) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1853 62D1 D591 FDFA 0C64 7B58 485B B0DF 6AC5 7704
- Check the integrity of the unpacked files:
$ sha256sum -c manifest.sha256
blades/bladesUnpack.sh: OK
blades/cb-psc-lq-0.9.8200-8200-blade.tar.gz: OK
blades/cb-psc-th-0.9.8200-8200-blade.tar.gz: OK
cb-psc-sensor-2.11.2-545096.el6.x86_64.rpm: OK
cb-psc-sensor-2.11.2-545096.el7.x86_64.rpm: OK
cb-psc-sensor-2.11.2-545096.el8.x86_64.rpm: OK
install.sh: OK
- Check for unexpected files extracted from the TGZ. You should see the files listed in the verified manifest.sha256, public.asc, public.asc.gpg, trustdb.gpg, and the two manifest files. The existence of additional files in the directory indicate that the TGZ was tampered.