Cloud Agent Package Integrity

Qualys recommends that you verify the Cloud Agent package integrity before installing it. This ensures that you have an authenticated installation package. Qualys provides you with a GNU Privacy Gaurd (GPG) signing key to verify the integrity of a Cloud Agent package.

If you do not import the GPG signing key for RPM-based packages, the following warning message will be displayed.

The following are the steps to verify Cloud Agent package integrity:

  • Add the GPG signing key to the Cloud Agent installer package.

  • Save the key as gpg.key and import it using the following commands. 
    gpg --import gpg.key
    gpg --export -a 'Qualys' > RPM-GPG-KEY-CodeSign
    rpm --import RPM-GPG-KEY-CodeSign
  • Run the following command to check if the GPG signing key is successfully imported. 
    rpm -qa gpg-pubkey*
  • Run the following command to check the signature and other details of GPG signing key. 
    rpm -qpi QualysCloudAgent.rpm
  • Run the following command to verify that Cloud Agent package is tampered. 
    rpm -K QualysCloudAgent.rpm

 

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.