Verify signed Conjur artifacts

All Conjur artifacts are cryptographically signed as zip or tar.gz archives.

 

We strongly recommend verifying the archive signatures before installing them in your environment.

Verify tar archive

The gpg utility is used to sign and verify tar, tar.gz, and tgz archives and can be used to verify their signatures prior to installation. The signature is distributed as a separate file that can be used to verify the integrity of the artifact.

To verify signatures with gpg:

  1. Import the public key into the local gpg keychain:

      
    gpg --import /path/to/RPM-GPG-KEY-CyberArk

  2. (Optional) To providing less ambiguous information in the verification, you can trust the public key:

      
    echo -e '5\ny\n' | gpg --command-fd 0 --expert --edit-key <public key> trust

  3. Verify the key:

      
    gpg --verify <archive>.sig <archive>

    Results:

    Public key

    Signature validity

    Output

    Trusted

    Valid

    Untrusted

    Valid

    Trusted/Untrusted

    None or
    Not valid

Troubleshooting

If the output looks like the following, the CyberArk public key has not been imported. The signature cannot be validated until it has been imported.

If the output looks like the following, it's very likely that either the order of files has been reversed or the .sig file is not a valid signature file.

Verify zip archive

Simple verification

Use the following command to perform a simple verification to ensure that the archive has been signed and that the signatures are valid.

  
jarsigner -verify -strict -certs <zip-archive>

If the signatures are valid, jarsigner outputs:

  
jar verified.

If the archive is not signed, you'll see:

  
no manifest.

jar is unsigned.

Extended verification

In addition to simple verification, you can also see the certificates, dates, and certificate chains used to sign the zip archive. Simple verification ensures that the signing certificates can be verified through the locally-configured certificate authorities. Extended verification allows you to verify that the zip archive has been signed by the appropriate entity (in this case, CyberArk) and to verify the integrity of each file in the archive.

The following command initiates extended verification, by adding the -verbose option:

  
jarsigner -verify -strict -certs -verbose <zip-archive>

Below is an example of extended verification of the Conjur Enterprise 12.1.0 appliance container image zip archive:

  
$ jarsigner -verify -verbose -strict -certs conjur-appliance-12.1.0.zip

s       171 Sun Mar 21 12:08:58 CDT 2021 META-INF/MANIFEST.MF

      >>> Signer

s       171 Sun Mar 21 12:08:58 CDT 2021 META-INF/MANIFEST.MF

      X.509, CN=CyberArk Software Ltd., O=CyberArk Software Ltd., L=Petah Tikva, ST=Central District, C=IL, OID.1.3.6.1.4.1.311.60.2.1.3=IL, SERIALNUMBER=512291642, OID.2.5.4.15=Private Organization
      [certificate is valid from 4/2/19, 9:08 AM to 4/2/22, 9:08 AM]
<snip rest of the cert chain>
sm   428127521 Fri Mar 19 12:41:06 CDT 2021 conjur-appliance-12.1.0.tar.gz

      [entry was signed on 3/21/21, 5:09 AM]
      >>> Signer
      X.509, CN=CyberArk Software Ltd., O=CyberArk Software Ltd., L=Petah Tikva, ST=Central District, C=IL, OID.1.3.6.1.4.1.311.60.2.1.3=IL, SERIALNUMBER=512291642, OID.2.5.4.15=Private Organization
      [certificate is valid from 4/2/19, 9:08 AM to 4/2/22, 9:08 AM]
<snip rest of the cert chain>
  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore

- Signed by "CN=CyberArk Software Ltd., O=CyberArk Software Ltd., L=Petah Tikva, ST=Central District, C=IL, OID.1.3.6.1.4.1.311.60.2.1.3=IL, SERIALNUMBER=512291642, OID.2.5.4.15=Private Organization"
    Digest algorithm: SHA-256
    Signature algorithm: SHA256withRSA, 2048-bit key
  Timestamped by "CN=Symantec SHA256 TimeStamping Signer - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US" on Sun Mar 21 10:09:00 UTC 2021
    Timestamp digest algorithm: SHA-256
    Timestamp signature algorithm: SHA256withRSA, 2048-bit key

jar verified.

The signer certificate will expire on 2022-04-02.
The timestamp will expire on 2029-03-22.
 

The signing certificate's common name and organization is CyberArk Software Ltd. Additionally, the command prints jar verified, confirming the valid signature.

Loading the Conjur image (Docker only)

If the Docker image is wrapped by a zip archive, you need to use the unzip tool to extract the image prior to loading.

To load the Docker image:

  1. Run unzip <archive-name> to unwrap the container image.

  2. Run docker load -i <container-image> to load the Docker image into the local container registry.

Below is an example of extracting and loading a Docker container image:

  
$ unzip conjur-appliance-12.1.0.zip
Archive:  conjur-appliance-12.1.0.zip
  inflating: META-INF/MANIFEST.MF
  inflating: META-INF/LE-4E379.SF
  inflating: META-INF/LE-4E379.RSA
  inflating: conjur-appliance-12.1.0.tar.gz
  
$ docker load -i conjur-appliance-12.1.0.tar.gz
21d3518622ad: Loading layer [==================================================>]  1.323GB/1.323GB
Loaded image: registry.tld/conjur-appliance:12.1.0

Troubleshooting

Possible cause: CyberArk uses certificates issued through GlobalSign to sign artifacts. If your operating system or jarsigner is not configured to trust this certificate authority, you may see an error similar to the example below:

  
$ jarsigner -verify -strict -certs conjur-appliance-12.1.0.zip
jar verified, with signer errors.

Error:
This jar contains signed entries that are not signed by alias in this keystore.

Re-run with the -verbose and -certs options for more details.

Resolution: To resolve this issue, first confirm that GlobalSign is in fact missing from your keystore. If this is the case, the certificate can be found on GlobalSign's website. Once downloaded and formatted as a keystore using keytool, the certificate can be configured by adding it to the JAVA_HOME path or passed directly to jarsigner using the -keystore option.

For more details about this process, see the manual pages: man jarsigner and man keytool.