Verify signed Conjur artifacts
All Conjur artifacts are cryptographically signed as zip or tar.gz archives.
We strongly recommend verifying the archive signatures before installing them in your environment. |
Verify tar archive
The gpg utility is used to sign and verify tar, tar.gz, and tgz archives and can be used to verify their signatures prior to installation. The signature is distributed as a separate file that can be used to verify the integrity of the artifact.
To verify signatures with gpg:
-
Import the public key into the local gpg keychain:
gpg --import /path/to/RPM-GPG-KEY-CyberArk
-
(Optional) To providing less ambiguous information in the verification, you can trust the public key:
echo -e '5\ny\n' | gpg --command-fd 0 --expert --edit-key <public key> trust
-
Verify the key:
gpg --verify <archive>.sig <archive>
Results:
Public key
Signature validity
Output
Trusted
Valid
Untrusted
Valid
Trusted/Untrusted
None or
Not valid
Troubleshooting
If the output looks like the following, the CyberArk public key has not been imported. The signature cannot be validated until it has been imported.
If the output looks like the following, it's very likely that either the order of files has been reversed or the .sig file is not a valid signature file.
Verify zip archive
Simple verification
Use the following command to perform a simple verification to ensure that the archive has been signed and that the signatures are valid.
|
If the signatures are valid, jarsigner
outputs:
|
If the archive is not signed, you'll see:
|
Extended verification
In addition to simple verification, you can also see the certificates, dates, and certificate chains used to sign the zip archive. Simple verification ensures that the signing certificates can be verified through the locally-configured certificate authorities. Extended verification allows you to verify that the zip archive has been signed by the appropriate entity (in this case, CyberArk) and to verify the integrity of each file in the archive.
The following command initiates extended verification, by adding the -verbose
option:
|
Below is an example of extended verification of the Conjur Enterprise 12.1.0 appliance container image zip archive:
|
The signing certificate's common name and organization is |
Loading the Conjur image (Docker only)
If the Docker image is wrapped by a zip archive, you need to use the unzip
tool to extract the image prior to loading.
To load the Docker image:
-
Run
unzip <archive-name>
to unwrap the container image. -
Run
docker load -i <container-image>
to load the Docker image into the local container registry.
Below is an example of extracting and loading a Docker container image:
|
Troubleshooting
Possible cause: CyberArk uses certificates issued through GlobalSign to sign artifacts. If your operating system or jarsigner
is not configured to trust this certificate authority, you may see an error similar to the example below:
|
Resolution: To resolve this issue, first confirm that GlobalSign is in fact missing from your keystore. If this is the case, the certificate can be found on GlobalSign's website. Once downloaded and formatted as a keystore using keytool
, the certificate can be configured by adding it to the JAVA_HOME
path or passed directly to jarsigner
using the -keystore
option.
For more details about this process, see the manual pages: man jarsigner
and man keytool
.