Verify signed artifacts

All Conjur Cloud artifacts are cryptographically signed as zip or tar.gz archives.

 

We strongly recommend verifying the archive signatures before installing them in your environment.

Verify tar archive

The gpg utility is used to sign and verify tar, tar.gz, and tgz archives and can be used to verify their signatures prior to installation. The signature is distributed as a separate file that can be used to verify the integrity of the artifact.

To verify signatures with gpg:

  1. Import the public key into the local gpg keychain:

     
    gpg --import /path/to/RPM-GPG-KEY-CyberArk
  2. (Optional) To providing less ambiguous information in the verification, you can trust the public key:

     
    echo -e '5\ny\n' | gpg --command-fd 0 --expert --edit-key <public key> trust
  3. Verify the key:

     
    gpg --verify <archive>.sig <archive>

    Results:

    Public key

    Signature validity

    Output

    Trusted

    Valid

    Untrusted

    Valid

    Trusted/Untrusted

    None or
    Not valid

Troubleshooting

Verify zip archive

Simple verification

Use the following command to perform a simple verification to ensure that the archive has been signed and that the signatures are valid.

 
jarsigner -verify -strict -certs <zip-archive>

If the signatures are valid, jarsigner outputs:

 
jar verified.

If the archive is not signed, you'll see:

 
no manifest.

jar is unsigned.

Extended verification

In addition to simple verification, you can also see the certificates, dates, and certificate chains used to sign the zip archive. Simple verification ensures that the signing certificates can be verified through the locally-configured certificate authorities. Extended verification allows you to verify that the zip archive has been signed by the appropriate entity (in this case, CyberArk) and to verify the integrity of each file in the archive.

The following command initiates extended verification, by adding the -verbose option:

 
jarsigner -verify -strict -certs -verbose <zip-archive>
 

The signing certificate's common name and organization is CyberArk Software Ltd. Additionally, the command prints jar verified, confirming the valid signature.

Troubleshooting