All Conjur Cloud artifacts are cryptographically signed as zip or tar.gz archives.
We strongly recommend verifying the archive signatures before installing them in your environment.
Verify tar archive
The gpg utility is used to sign and verify tar, tar.gz, and tgz archives and can be used to verify their signatures prior to installation. The signature is distributed as a separate file that can be used to verify the integrity of the artifact.
To verify signatures with gpg:
Import the public key into the local gpg keychain:
gpg --import /path/to/RPM-GPG-KEY-CyberArk
(Optional) To providing less ambiguous information in the verification, you can trust the public key:
echo -e '5\ny\n' | gpg --command-fd 0 --expert --edit-key <public key> trust
Verify the key:
gpg --verify <archive>.sig <archive>
If the output looks like the following, the CyberArk public key has not been imported. The signature cannot be validated until it has been imported.
If the output looks like the following, it's very likely that either the order of files has been reversed or the .sig file is not a valid signature file.
Verify zip archive
Use the following command to perform a simple verification to ensure that the archive has been signed and that the signatures are valid.
If the signatures are valid,
If the archive is not signed, you'll see:
In addition to simple verification, you can also see the certificates, dates, and certificate chains used to sign the zip archive. Simple verification ensures that the signing certificates can be verified through the locally-configured certificate authorities. Extended verification allows you to verify that the zip archive has been signed by the appropriate entity (in this case, CyberArk) and to verify the integrity of each file in the archive.
The following command initiates extended verification, by adding the
The signing certificate's common name and organization is
Possible cause: CyberArk uses certificates issued through GlobalSign to sign artifacts. If your operating system or
jarsigner is not configured to trust this certificate authority, you may see an error similar to the example below:
Resolution: To resolve this issue, first confirm that GlobalSign is in fact missing from your keystore. If this is the case, the certificate can be found on GlobalSign's website. Once downloaded and formatted as a keystore using
keytool, the certificate can be configured by adding it to the
JAVA_HOME path or passed directly to
jarsigner using the
For more details about this process, see the manual pages:
man jarsigner and