The Linux 7.1+ sensor includes the ability to verify the sensor install files before the sensor installation.
Manifest files are added as part of CarbonBlackClientSetup-linux-<version>.tgz and CarbonBlackSensorUpgrader-linux-<version>.tar.gz. These packages come with manifest.sha256 and manifest.sha256.asc.
Procedure
- Copy the following text to a file named public.asc:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.14 (GNU/Linux) mQENBFMsJ4kBCACp93MIPVj1NVY7HEZm+gFtRU7lihQr+7lYIXCL59nXSaoniI/T eihTlGTjWoJ7fTqzstA2Syt+Mmq7VecOVoR0mJgBjw1CFXlzApZI1tTnq9Iio6Xs 2fxP08n1kKXQFlG7x62Y7EjJaFAF1fcMVrHPc43CTM455tRW9V5ODETGyt9DByf3 R2w11NZgGUzonElwIKib2zUJ+XSIvIU5Go60t+BDfmJMdTtAxoyZ79b+sTl//lcq Be0WhSX48Fn6CfFzeH84/lCPcf/i1MB5qE9Vjk6iR2Z9M4xB1YKGUZT/Z1L9yurt bs3tpp5kSajgYrkCYaYkHY/so+E01zbQa99vABEBAAG0JWJpdDlidWlsZCAoYml0 OWNzKSA8c3VwcG9ydEBiaXQ5LmNvbT6JATgEEwECACIFAlMsJ4kCGwMGCwkIBwMC BhUIAgkKCwQWAgMBAh4BAheAAAoJEEhbsN9qxXcER9IH/i8dg4q4cK1lLLFr8vEi 30Il/kokNCacNdBH0gPVlCiGaVRcmgC1pAZuO8HjyEhFplrWU7rRPFhdLgupN95I rFY5CJ9r+FO99SJTkhJY7vM/4rSOVTat+ZAJgJ/lk3Q148jUK+vOhKa/9I2lys5N g7OR0EST7fLBNigKIXgy44Zb5GjzJBAQ1vbGNuErduldrR4lIueFjk6QdbVp8SN1 kD/SgqH1rmBiCeX2YMFcudDT6YQ7DnKfzC+GtKp+Lbs2ZyYH96bIeSNKA008x95f y0dWEsxYvrsoAvl9zIml5mg2mnLHNXiDV54ABvtPk27TKeZBxlQPWBu3TZCmNkdn umy5AQ0EUywniQEIALtfcwslAk9pyfgj0GqznkalLrln8KsznYAtUCQUl8odtHLP QW4puA713glzLLk+IU69SFUHYdUIl0I2VP3M9gRWuQQ7NNXaniPXF0xTCrLPPYH7 Y4d7VlK7q/Fu+qP+pobT9RV9Z0hINmm5mYeeNneCqWzFdmdOYqMp592gdqsKA9E6 M70jSZzYbL9ZVCENiCM11q+CqciddZkAN0MrOP78w7sMXpQiJ6oRTBDy43GcHf1Z BwClePknHQ1tXrCxY4nS/+nbhNgx5U0CtZMk034Cj75+Auyen2sbsgFj889Gjxoj SzZ2elWzKbjiC9sZJjI++ENDsH79Vi84u98tplMAEQEAAYkBHwQYAQIACQUCUywn iQIbDAAKCRBIW7DfasV3BBYBCACMw7aKV2vsVVVQ8GSfe6gjnR5iYc+aoFpoMSRf 5keGk0Tw1s7Qx1H4CEJTBJRuSol+KHKkR+S2rqc3FfU97WnODx3xPIZlguL2+MUi LENm8W37QIr3G3vC7Lxens+67Fr367P0clC7irJxo6I8s5R//eiUaU5y3CzrTYOz eyS3ZaG3Bmax7EinfR0kcdGE0PuKEJ+qUPoOQPEDgqnwCrPtxou7ihzGPbWg75en B6HS7k++N1yRGXQwRKlP2XHZjCUpkcFHZJQJwDpnphTqq+2DqJ89+wBf2cvKCfgO v7EXr1qie7DcHDHpc1M7ZcSCqTCjbrQTb6KetUJK+WM/Uotx =0gTd -----END PGP PUBLIC KEY BLOCK-----
Note:Starting with the 7.3.2 Linux sensor release, the sensor uses a new SHA-256 public key:
-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBGM2sKsBCACla33AUuizphrW5FpPpJR7Wrb9rL+Yd8srYxAJw43vyE77jkHB Umk/lOo17+LhLd8K0cnqlNXuIODNJ2YGQgIEJlfjVLpSL6Yva4GZlh/Y9PvPJGt9 YatvBkNXmNcqCteRP1JpADyFPAExvUKqBealEIbeS59GzcsOyhD4ohRZeUCH6Uuw +FWv91x/9AGPufu4mFnRw9WYy9tlxOfbPd/pd0uCzVQL1ygsJyUC8yOYLYZzLgmB YPH9djasoMNc+qnaP801DT7gjwj9KDPP/VLpDJkSJppfSc9JwnXyGbcF7ccRCmkh IdZsP/CvyfA5zBOsXDRTtC7dR88ECRdOUxQXABEBAAG0LWJ1aWxkIChjYXJib25i bGFjaykgPGNvbnRhY3RAY2FyYm9uYmxhY2suY29tPokBUgQTAQgAPBYhBDVnau5F L5GmDS9KQ+eJLs39xQnGBQJjNrCrAhsDBQsJCAcCAyICAQYVCgkICwIEFgIDAQIe BwIXgAAKCRDniS7N/cUJxg2RB/9i1tuVyuDk1DuHF4lpywjwYEPYEVssFa3yjR9s 9g2P4hkBXyllifvxzp+X4JdYOa0xQhyblP0kj8QEw90ZAGcx9J+dAUF1iCtTr1DT VghKIQh+vjYrkprxC9TmHluTGezeaLKhV/c99U+FypKMBc4t5i5QFBnFAC9RMiI4 DW0QCv4lSpZnJR1uaE1IbnuyijuDHuANXSg87FnqKxNG6s765N6FrJc44GjZG0Qu tiaW1KmuvojjUJaxO6kr5SmlOyGJKItqqdLa8CDGKPwTV4pYbH902hgS9F4lBgB6 1YuarV6D79tpqV/TejUhdwaD/apMW7UrnPK4IBtW9mKGBzOK =9B9E -----END PGP PUBLIC KEY BLOCK-----
Linux sensors 7.3.2 and greater use only the SHA-256 public key, not the former SHA-1 key. Older sensor versions continue to use the SHA-1 key.
- Issue the following command to generate public.asc.gpg, which will be used to verify manifest files.
gpg --dearmor public.asc
- To verify the included manifest.sha256 file with the public key, perform the following step. This step creates a trustdb.gpg file, which can be safely ignored.
Note: In the following example output, the "Good signature" line validates the manifest. The WARNING lines can be ignored. The Signature date is the TGZ signing date.
$ gpg --no-default-keyring --homedir . \ --keyring public.asc.gpg \ --verify manifest.sha256.asc manifest.sha256
Example output: gpg: WARNING: unsafe permissions on homedir '/tmp/cb-psc-install' gpg: Signature made Wed Jun 9 01:49:05 2021 IST gpg: using RSA key 485BB0DF6AC57704 gpg: /tmp/cb-psc-install/trustdb.gpg: trustdb created gpg: Good signature from "bit9build (bit9cs) <[email protected]>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 1853 62D1 D591 FDFA 0C64 7B58 485B B0DF 6AC5 7704
- Check the integrity of the unpacked files:
$ sha256sum -c manifest.sha256
blades/bladesUnpack.sh: OK blades/cb-psc-lq-0.9.8200-8200-blade.tar.gz: OK blades/cb-psc-th-0.9.8200-8200-blade.tar.gz: OK cb-psc-sensor-2.11.2-545096.el6.x86_64.rpm: OK cb-psc-sensor-2.11.2-545096.el7.x86_64.rpm: OK cb-psc-sensor-2.11.2-545096.el8.x86_64.rpm: OK install.sh: OK
- Check for unexpected files extracted from the TGZ. You should see the files listed in the verified manifest.sha256, public.asc, public.asc.gpg, trustdb.gpg, and the two manifest files. The existence of additional files in the directory indicate that the TGZ was tampered.