The Linux 7.1+ sensor includes the ability to verify the sensor install files before the sensor installation.

Manifest files are added as part of CarbonBlackClientSetup-linux-<version>.tgz and CarbonBlackSensorUpgrader-linux-<version>.tar.gz. These packages come with manifest.sha256 and manifest.sha256.asc.

Procedure

  1. Copy the following text to a file named public.asc:
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: GnuPG v2.0.14 (GNU/Linux)
    mQENBFMsJ4kBCACp93MIPVj1NVY7HEZm+gFtRU7lihQr+7lYIXCL59nXSaoniI/T
    eihTlGTjWoJ7fTqzstA2Syt+Mmq7VecOVoR0mJgBjw1CFXlzApZI1tTnq9Iio6Xs
    2fxP08n1kKXQFlG7x62Y7EjJaFAF1fcMVrHPc43CTM455tRW9V5ODETGyt9DByf3
    R2w11NZgGUzonElwIKib2zUJ+XSIvIU5Go60t+BDfmJMdTtAxoyZ79b+sTl//lcq
    Be0WhSX48Fn6CfFzeH84/lCPcf/i1MB5qE9Vjk6iR2Z9M4xB1YKGUZT/Z1L9yurt
    bs3tpp5kSajgYrkCYaYkHY/so+E01zbQa99vABEBAAG0JWJpdDlidWlsZCAoYml0
    OWNzKSA8c3VwcG9ydEBiaXQ5LmNvbT6JATgEEwECACIFAlMsJ4kCGwMGCwkIBwMC
    BhUIAgkKCwQWAgMBAh4BAheAAAoJEEhbsN9qxXcER9IH/i8dg4q4cK1lLLFr8vEi
    30Il/kokNCacNdBH0gPVlCiGaVRcmgC1pAZuO8HjyEhFplrWU7rRPFhdLgupN95I
    rFY5CJ9r+FO99SJTkhJY7vM/4rSOVTat+ZAJgJ/lk3Q148jUK+vOhKa/9I2lys5N
    g7OR0EST7fLBNigKIXgy44Zb5GjzJBAQ1vbGNuErduldrR4lIueFjk6QdbVp8SN1
    kD/SgqH1rmBiCeX2YMFcudDT6YQ7DnKfzC+GtKp+Lbs2ZyYH96bIeSNKA008x95f
    y0dWEsxYvrsoAvl9zIml5mg2mnLHNXiDV54ABvtPk27TKeZBxlQPWBu3TZCmNkdn
    umy5AQ0EUywniQEIALtfcwslAk9pyfgj0GqznkalLrln8KsznYAtUCQUl8odtHLP
    QW4puA713glzLLk+IU69SFUHYdUIl0I2VP3M9gRWuQQ7NNXaniPXF0xTCrLPPYH7
    Y4d7VlK7q/Fu+qP+pobT9RV9Z0hINmm5mYeeNneCqWzFdmdOYqMp592gdqsKA9E6
    M70jSZzYbL9ZVCENiCM11q+CqciddZkAN0MrOP78w7sMXpQiJ6oRTBDy43GcHf1Z
    BwClePknHQ1tXrCxY4nS/+nbhNgx5U0CtZMk034Cj75+Auyen2sbsgFj889Gjxoj
    SzZ2elWzKbjiC9sZJjI++ENDsH79Vi84u98tplMAEQEAAYkBHwQYAQIACQUCUywn
    iQIbDAAKCRBIW7DfasV3BBYBCACMw7aKV2vsVVVQ8GSfe6gjnR5iYc+aoFpoMSRf
    5keGk0Tw1s7Qx1H4CEJTBJRuSol+KHKkR+S2rqc3FfU97WnODx3xPIZlguL2+MUi
    LENm8W37QIr3G3vC7Lxens+67Fr367P0clC7irJxo6I8s5R//eiUaU5y3CzrTYOz
    eyS3ZaG3Bmax7EinfR0kcdGE0PuKEJ+qUPoOQPEDgqnwCrPtxou7ihzGPbWg75en
    B6HS7k++N1yRGXQwRKlP2XHZjCUpkcFHZJQJwDpnphTqq+2DqJ89+wBf2cvKCfgO
    v7EXr1qie7DcHDHpc1M7ZcSCqTCjbrQTb6KetUJK+WM/Uotx
    =0gTd
    -----END PGP PUBLIC KEY BLOCK-----
    Note:

    Starting with the 7.3.2 Linux sensor release, the sensor uses a new SHA-256 public key:

    -----BEGIN PGP PUBLIC KEY BLOCK-----
    
    mQENBGM2sKsBCACla33AUuizphrW5FpPpJR7Wrb9rL+Yd8srYxAJw43vyE77jkHB
    Umk/lOo17+LhLd8K0cnqlNXuIODNJ2YGQgIEJlfjVLpSL6Yva4GZlh/Y9PvPJGt9
    YatvBkNXmNcqCteRP1JpADyFPAExvUKqBealEIbeS59GzcsOyhD4ohRZeUCH6Uuw
    +FWv91x/9AGPufu4mFnRw9WYy9tlxOfbPd/pd0uCzVQL1ygsJyUC8yOYLYZzLgmB
    YPH9djasoMNc+qnaP801DT7gjwj9KDPP/VLpDJkSJppfSc9JwnXyGbcF7ccRCmkh
    IdZsP/CvyfA5zBOsXDRTtC7dR88ECRdOUxQXABEBAAG0LWJ1aWxkIChjYXJib25i
    bGFjaykgPGNvbnRhY3RAY2FyYm9uYmxhY2suY29tPokBUgQTAQgAPBYhBDVnau5F
    L5GmDS9KQ+eJLs39xQnGBQJjNrCrAhsDBQsJCAcCAyICAQYVCgkICwIEFgIDAQIe
    BwIXgAAKCRDniS7N/cUJxg2RB/9i1tuVyuDk1DuHF4lpywjwYEPYEVssFa3yjR9s
    9g2P4hkBXyllifvxzp+X4JdYOa0xQhyblP0kj8QEw90ZAGcx9J+dAUF1iCtTr1DT
    VghKIQh+vjYrkprxC9TmHluTGezeaLKhV/c99U+FypKMBc4t5i5QFBnFAC9RMiI4
    DW0QCv4lSpZnJR1uaE1IbnuyijuDHuANXSg87FnqKxNG6s765N6FrJc44GjZG0Qu
    tiaW1KmuvojjUJaxO6kr5SmlOyGJKItqqdLa8CDGKPwTV4pYbH902hgS9F4lBgB6
    1YuarV6D79tpqV/TejUhdwaD/apMW7UrnPK4IBtW9mKGBzOK
    =9B9E
    -----END PGP PUBLIC KEY BLOCK-----

    Linux sensors 7.3.2 and greater use only the SHA-256 public key, not the former SHA-1 key. Older sensor versions continue to use the SHA-1 key.

  2. Issue the following command to generate public.asc.gpg, which will be used to verify manifest files.
    gpg --dearmor public.asc
  3. To verify the included manifest.sha256​ file with the public key, perform the following step. This step creates a trustdb.gpg file, which can be safely ignored.
    Note: In the following example output, the "Good signature" line validates the manifest. The WARNING lines can be ignored. The Signature date is the TGZ signing date.
    $ gpg --no-default-keyring --homedir . \
    --keyring public.asc.gpg \
    --verify manifest.sha256.asc manifest.sha256
    
    Example output:
    gpg: WARNING: unsafe permissions on homedir '/tmp/cb-psc-install'
    gpg: Signature made Wed Jun  9 01:49:05 2021 IST
    gpg:                using RSA key 485BB0DF6AC57704
    gpg: /tmp/cb-psc-install/trustdb.gpg: trustdb created
    gpg: Good signature from "bit9build (bit9cs) <[email protected]>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 1853 62D1 D591 FDFA 0C64  7B58 485B B0DF 6AC5 7704
  4. Check the integrity of the unpacked files: $ sha256sum -c manifest.sha256
    blades/bladesUnpack.sh: OK
    blades/cb-psc-lq-0.9.8200-8200-blade.tar.gz: OK
    blades/cb-psc-th-0.9.8200-8200-blade.tar.gz: OK 
    cb-psc-sensor-2.11.2-545096.el6.x86_64.rpm: OK
    cb-psc-sensor-2.11.2-545096.el7.x86_64.rpm: OK
    cb-psc-sensor-2.11.2-545096.el8.x86_64.rpm: OK
    install.sh: OK
  5. Check for unexpected files extracted from the TGZ. You should see the files listed in the verified manifest.sha256, public.asc, public.asc.gpg, trustdb.gpg, and the two manifest files. The existence of additional files in the directory indicate that the TGZ was tampered.