With the release of the 2.11.2 Linux sensor, digital-integrity verification of all tar-ball contents is enabled.

Perform the following steps to verify integrity after you unpack the TGZ and before you install the sensor.

Prerequisites

You need two tools that are usually pre-installed on Linux:

  • GnuPG package (for /usr/bin/gpg tool)
  • SHA256 checksum tool: /usr/bin/sha256sum
In addition, you must download the Carbon Black public key, public.asc.

Procedure

  1. To create a public.asc.gpg file, download the Carbon Black public key as public.asc and then dearmor it.
    gpg --dearmor public.asc
  2. To verify the included manifest.sha256​ file with the public key, perform the following step. This step creates a trustdb.gpg file, which can be safely ignored.
    Note: In the following example output, the "Good signature" line validates the manifest. The WARNING lines can be ignored. The Signature date is the TGZ signing date.
    $ gpg --no-default-keyring --homedir . \
    --keyring public.asc.gpg \
    --verify manifest.sha256.asc manifest.sha256
    
    Example output:
    gpg: WARNING: unsafe permissions on homedir '/tmp/cb-psc-install'
    gpg: Signature made Wed Jun  9 01:49:05 2021 IST
    gpg:                using RSA key 485BB0DF6AC57704
    gpg: /tmp/cb-psc-install/trustdb.gpg: trustdb created
    gpg: Good signature from "bit9build (bit9cs) <[email protected]>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 1853 62D1 D591 FDFA 0C64  7B58 485B B0DF 6AC5 7704
  3. Check the integrity of the unpacked files: $ sha256sum -c manifest.sha256
    blades/bladesUnpack.sh: OK
    blades/cb-psc-lq-0.9.8200-8200-blade.tar.gz: OK
    blades/cb-psc-th-0.9.8200-8200-blade.tar.gz: OK 
    cb-psc-sensor-2.11.2-545096.el6.x86_64.rpm: OK
    cb-psc-sensor-2.11.2-545096.el7.x86_64.rpm: OK
    cb-psc-sensor-2.11.2-545096.el8.x86_64.rpm: OK
    install.sh: OK
  4. Check for unexpected files extracted from the TGZ. You should see the files listed in the verified manifest.sha256, public.asc, public.asc.gpg, trustdb.gpg, and the two manifest files. The existence of additional files in the directory indicate that the TGZ was tampered.