Cloud Agent Package Integrity
It is a good practice to verify the Cloud Agent package integrity before installing it. This ensures that you have an authenticated installation package. Qualys provides you with a GNU Privacy Gaurd (GPG) signing key to verify the integrity of a Cloud Agent package.
If you do not import the GPG signing key for RPM-based packages, the following warning message will be displayed.
Verifying Cloud Agent package integrity is an optional step. If you skip the verification, the installation proceeds with a NOKEY warning.
The following are the steps to verify Cloud Agent package integrity:
- Add the GPG signing key to the Cloud Agent installer package.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5 (GNU/Linux) mQGiBDzZlZoRBACDYBbcaUvBvo/M8R/SwRyJO51aKdY9//+5wh1ixiyGsfZQLXEg 4d1rzriXurUG6cZRsLHGK++iYqJr/usZfhSVXP9emq0BS5nnOyr9k6x2QN6+qn2m Z3a4iy/sJ4k5c84ANQ7yQE4CCjW2ofpHYJzOIPL9OdxOoM/Qd2DwfqJYPwCgtHKP DIV1gyWWv/Llp8XI51muK+cD/1QX4sBhsIk8uQSopCdNdVt6yQpfaWUznvB63bzv QZJGoKrGgdme3tDuIR5m6aan6MoagNBp2PfO1k+leUafPeQQUOqvkqwbGcGVpfYq LXsHEyoE00JqJwliD8zIyJiSESida57pd5+HM4TC7wX22GhICW+/2an9wTL8CB1X ctiTA/4nMUv5GMWrMQMSCNVCMxNi7XjzV5HqWKdrX9tV3AxPJDhk009OtPdapUYQ YhrGDbywaVsD9iGs1chAsT92Xcfk3ZGWJ173HN68QZRcKIEfewH993M7D54B7CGT /jtxIdbp0P5+JPEIQH/PuUgLMTdH+ZukYsWzGvRT4STE58w2IrQrUXVhbHlzIEJ1 aWxkIEVudmlyb25tZW50IDxidWlsZEBxdWFseXMuY29tPohXBBMRAgAXBQI82ZWa BQsHCgMEAxUDAgMWAgECF4AACgkQsYQPZKZj026NuwCfTiG+xXNezsi6XKKaIaxE MbtmFMEAoI/A1sHUOLhuXqZ4mRcQ1/Dxmg2huQENBDzZlZ8QBADPGp40/ynxmmi8 9ydEaiUopY0nDvzu7l3A7Fe1sX+p9tOZ67z1FZWFM73OeJECy5V8xQdAebybaXxK CmXTa772K5b7AY4Ml34akyKPM5vZ4FLsVBjsR8q0rfBzAEIEHtWVVQ5IdKHHUM6J SXUsySX9bzZLZJfe+eyXObQDWR+O9wADBQP+OuXimRc2a9Bg0wuhPvXwJE4foaYr K/jsaHWZDFXbs0o510ZzhVc+0kOQktCrgVXJPmIS3YjDYnSSF1JKAS6fdRNEKHwY 5LdGhu1ui/GU9VHf5kKQ/IPOtWM1wkdLAD5wfiYcVyxrbMGiVyJOhg7p9fDOutXO YuyTqbPpVbAfh2eIRgQYEQIABgUCPNmVnwAKCRCxhA9kpmPTbu/bAJ9PahlquV/f 0kd7dROoOO/6Q6vkKQCgrg93wzjC9F0Slon+dX7Iel2Ikvg= =u3a1
-----END PGP PUBLIC KEY BLOCK----- - Save the key as gpg.key and import it using the following commands.
gpg --import gpg.key
gpg --export -a 'Qualys' > RPM-GPG-KEY-CodeSign
rpm --import RPM-GPG-KEY-CodeSign - Run the following command to check if the GPG signing key is successfully imported.
rpm -qa gpg-pubkey* - Run the following command to check the signature and other details of GPG signing key.
rpm -qpi QualysCloudAgent.rpm - Run the following command to verify that Cloud Agent package is tampered.
rpm -K QualysCloudAgent.rpm