Cloud Agent Package Integrity

It is a good practice to verify the Cloud Agent package integrity before installing it. This ensures that you have an authenticated installation package. Qualys provides you with a GNU Privacy Guard (GPG) signing key to verify the integrity of a Cloud Agent package.

 Verifying Cloud Agent package integrity is an optional step. If you skip the verification, the installation proceeds with a NOKEY warning.

We updated the GPG Signing Key for Linux Cloud Agent to SHA-256. This updated signing key offers the following benefits:

  • Eliminate Outdated Cryptography: Removing SHA-1 fully reinforces the security of the Qualys Cloud Agent.
  • Improve Package Integrity Verification: The SHA-256 algorithm offers a more robust defense against tampering.
  • Align with Modern Security Standards: SHA-256 complies with current cryptographic standards.

Impact of GPG Key

If you have implemented security policies blocking installation or upgrades for packages verified by outdated or unrecognized GPG keys, Cloud Agent installations and upgrades fail if the new SHA-256 key is not imported on the affected assets.

In the absence of a SHA-256 GPG Key, the following error message is displayed while installing or upgrading Cloud Agents:

qualys-cloud-agent.rpm is not installed
Error: GPG check FAILED

Verify Cloud Agent with New GPG Key

The following are the steps to update the GPG key to SHA-256 and remove any dependency on SHA-1:

  1. Download a new SHA-256 GPG key from SHA-256 GPG Key for Cloud Agent for Linux.
  2. Verify the integrity of new key by using the following SHA-256 checksum.
    da33d3370daa40665a597c801174efaa417c7d19919e82adece9bac09c7e4436
  3. Run the following command to import the new GPG Key on your assets. Use QID 45636 — Cloud Agent Linux RPM GPG Signing Key Detected to identify the assets that are using the old SHA-1 key.
    $ sudo rpm --import qualys_gpg_key.pem
  4. Run the following command to verify the integrity of the RPM-based Linux Cloud Agent.
    $ sudo rpm -K <cloud-agent-rpm-filename>
  5. If you have old SHA-1 GPG Key on your assets, remove it using the following command to avoid any potential conflicts. 
    $ sudo rpm -e qualys_old_gpg_key

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: December, 2025