With the release of the 2.11.2 Linux sensor, digital-integrity verification of all tar-ball contents is enabled.

Perform the following steps to verify integrity after you unpack the TGZ and before you install the sensor.

Prerequisites

You need two tools that are usually pre-installed on Linux:

  • GnuPG package (for /usr/bin/gpg tool)
  • SHA256 checksum tool: /usr/bin/sha256sum

Procedure

  1. Copy the text below to a file named: public.asc. 
    -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.14 (GNU/Linux)

mQENBFMsJ4kBCACp93MIPVj1NVY7HEZm+gFtRU7lihQr+7lYIXCL59nXSaoniI/T
eihTlGTjWoJ7fTqzstA2Syt+Mmq7VecOVoR0mJgBjw1CFXlzApZI1tTnq9Iio6Xs
2fxP08n1kKXQFlG7x62Y7EjJaFAF1fcMVrHPc43CTM455tRW9V5ODETGyt9DByf3
R2w11NZgGUzonElwIKib2zUJ+XSIvIU5Go60t+BDfmJMdTtAxoyZ79b+sTl//lcq
Be0WhSX48Fn6CfFzeH84/lCPcf/i1MB5qE9Vjk6iR2Z9M4xB1YKGUZT/Z1L9yurt
bs3tpp5kSajgYrkCYaYkHY/so+E01zbQa99vABEBAAG0JWJpdDlidWlsZCAoYml0
OWNzKSA8c3VwcG9ydEBiaXQ5LmNvbT6JATgEEwECACIFAlMsJ4kCGwMGCwkIBwMC
BhUIAgkKCwQWAgMBAh4BAheAAAoJEEhbsN9qxXcER9IH/i8dg4q4cK1lLLFr8vEi
30Il/kokNCacNdBH0gPVlCiGaVRcmgC1pAZuO8HjyEhFplrWU7rRPFhdLgupN95I
rFY5CJ9r+FO99SJTkhJY7vM/4rSOVTat+ZAJgJ/lk3Q148jUK+vOhKa/9I2lys5N
g7OR0EST7fLBNigKIXgy44Zb5GjzJBAQ1vbGNuErduldrR4lIueFjk6QdbVp8SN1
kD/SgqH1rmBiCeX2YMFcudDT6YQ7DnKfzC+GtKp+Lbs2ZyYH96bIeSNKA008x95f
y0dWEsxYvrsoAvl9zIml5mg2mnLHNXiDV54ABvtPk27TKeZBxlQPWBu3TZCmNkdn
umy5AQ0EUywniQEIALtfcwslAk9pyfgj0GqznkalLrln8KsznYAtUCQUl8odtHLP
QW4puA713glzLLk+IU69SFUHYdUIl0I2VP3M9gRWuQQ7NNXaniPXF0xTCrLPPYH7
Y4d7VlK7q/Fu+qP+pobT9RV9Z0hINmm5mYeeNneCqWzFdmdOYqMp592gdqsKA9E6
M70jSZzYbL9ZVCENiCM11q+CqciddZkAN0MrOP78w7sMXpQiJ6oRTBDy43GcHf1Z
BwClePknHQ1tXrCxY4nS/+nbhNgx5U0CtZMk034Cj75+Auyen2sbsgFj889Gjxoj
SzZ2elWzKbjiC9sZJjI++ENDsH79Vi84u98tplMAEQEAAYkBHwQYAQIACQUCUywn
iQIbDAAKCRBIW7DfasV3BBYBCACMw7aKV2vsVVVQ8GSfe6gjnR5iYc+aoFpoMSRf
5keGk0Tw1s7Qx1H4CEJTBJRuSol+KHKkR+S2rqc3FfU97WnODx3xPIZlguL2+MUi
LENm8W37QIr3G3vC7Lxens+67Fr367P0clC7irJxo6I8s5R//eiUaU5y3CzrTYOz
eyS3ZaG3Bmax7EinfR0kcdGE0PuKEJ+qUPoOQPEDgqnwCrPtxou7ihzGPbWg75en
B6HS7k++N1yRGXQwRKlP2XHZjCUpkcFHZJQJwDpnphTqq+2DqJ89+wBf2cvKCfgO
v7EXr1qie7DcHDHpc1M7ZcSCqTCjbrQTb6KetUJK+WM/Uotx
=0gTd
----END PGP PUBLIC KEY BLOCK----
    Note:

    Starting with the 2.16.0 Linux sensor release, the sensor uses a new SHA-256 public key:

    -----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBGM2sKsBCACla33AUuizphrW5FpPpJR7Wrb9rL+Yd8srYxAJw43vyE77jkHB
Umk/lOo17+LhLd8K0cnqlNXuIODNJ2YGQgIEJlfjVLpSL6Yva4GZlh/Y9PvPJGt9
YatvBkNXmNcqCteRP1JpADyFPAExvUKqBealEIbeS59GzcsOyhD4ohRZeUCH6Uuw
+FWv91x/9AGPufu4mFnRw9WYy9tlxOfbPd/pd0uCzVQL1ygsJyUC8yOYLYZzLgmB
YPH9djasoMNc+qnaP801DT7gjwj9KDPP/VLpDJkSJppfSc9JwnXyGbcF7ccRCmkh
IdZsP/CvyfA5zBOsXDRTtC7dR88ECRdOUxQXABEBAAG0LWJ1aWxkIChjYXJib25i
bGFjaykgPGNvbnRhY3RAY2FyYm9uYmxhY2suY29tPokBUgQTAQgAPBYhBDVnau5F
L5GmDS9KQ+eJLs39xQnGBQJjNrCrAhsDBQsJCAcCAyICAQYVCgkICwIEFgIDAQIe
BwIXgAAKCRDniS7N/cUJxg2RB/9i1tuVyuDk1DuHF4lpywjwYEPYEVssFa3yjR9s
9g2P4hkBXyllifvxzp+X4JdYOa0xQhyblP0kj8QEw90ZAGcx9J+dAUF1iCtTr1DT
VghKIQh+vjYrkprxC9TmHluTGezeaLKhV/c99U+FypKMBc4t5i5QFBnFAC9RMiI4
DW0QCv4lSpZnJR1uaE1IbnuyijuDHuANXSg87FnqKxNG6s765N6FrJc44GjZG0Qu
tiaW1KmuvojjUJaxO6kr5SmlOyGJKItqqdLa8CDGKPwTV4pYbH902hgS9F4lBgB6
1YuarV6D79tpqV/TejUhdwaD/apMW7UrnPK4IBtW9mKGBzOK
=9B9E
-----END PGP PUBLIC KEY BLOCK-----

    Linux sensors 2.16.0 and greater use only the SHA-256 public key, not the former SHA-1 key. Older sensor versions continue to use the SHA-1 key.

  2. Issue the following command to generate public.asc.gpg, which will be used to verify manifest files. 
    gpg --dearmor public.asc
  3. To verify the included manifest.sha256​ file with the public key, perform the following step. This step creates a trustdb.gpg file, which can be safely ignored.
    Note: In the following example output, the "Good signature" line validates the manifest. The WARNING lines can be ignored. The Signature date is the TGZ signing date. 
    $ gpg --no-default-keyring --homedir . \
--keyring public.asc.gpg \
--verify manifest.sha256.asc manifest.sha256

    Example output:
gpg: WARNING: unsafe permissions on homedir '/tmp/cb-psc-install'
gpg: Signature made Wed Jun  9 01:49:05 2021 IST
gpg:                using RSA key 485BB0DF6AC57704
gpg: /tmp/cb-psc-install/trustdb.gpg: trustdb created
gpg: Good signature from "bit9build (bit9cs) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1853 62D1 D591 FDFA 0C64  7B58 485B B0DF 6AC5 7704
  4. Check the integrity of the unpacked files: $ sha256sum -c manifest.sha256 
    blades/bladesUnpack.sh: OK
blades/cb-psc-lq-0.9.8200-8200-blade.tar.gz: OK
blades/cb-psc-th-0.9.8200-8200-blade.tar.gz: OK 
cb-psc-sensor-2.11.2-545096.el6.x86_64.rpm: OK
cb-psc-sensor-2.11.2-545096.el7.x86_64.rpm: OK
cb-psc-sensor-2.11.2-545096.el8.x86_64.rpm: OK
install.sh: OK
  5. Check for unexpected files extracted from the TGZ. You should see the files listed in the verified manifest.sha256, public.asc, public.asc.gpg, trustdb.gpg, and the two manifest files. The existence of additional files in the directory indicate that the TGZ was tampered.