Check digital signatures on software packages

Before you install Deep Security, you should check the digital signature on the software ZIP packages and installer files. A correct digital signature indicates that the software is authentically from Trend Micro and hasn't been corrupted or tampered with.

You can either:

You can also validate the software's checksums, as well as the security updates' and Deep Security Agent modules' digital signature. See How agents validate the integrity of updates and Linux Secure Boot support for agents.

Check the signature on software ZIP packages

The ZIP files for the Deep Security Agents and Deep Security Virtual Appliance and online help are digitally signed. The signatures can be verified with the jarsigner Java utility.

  1. Install the latest Java Development Kit on your computer.
  2. Download the ZIP.
  3. Use the jarsigner utility within the JDK to check the signature. The command is:

    jarsigner -verify -verbose -certs -strict <ZIP_file>

    Example:

    jarsigner -verify -verbose -certs -strict Agent-RedHat_EL7-11.2.0-124.x86_64.zip

  4. Read any errors as well as the content of the certificate to determine if the signature can be trusted.

    In addition to checking the agent ZIP file, you can also check the agent installer file.

Check the signature on installer files (EXE, MSI, RPM or DEB files)

The installers for the Deep Security Agent, Deep Security Manager, and Deep Security Notifier are digitally signed using RSA. The installer is an EXE or MSI file on Windows, an RPM file on Linux operating systems (Amazon, CloudLinux, Oracle, Red Hat, and SUSE), or a DEB file on Debian and Ubuntu.

The instructions below describe how to check a digital signature manually. If you'd like to automate this check, you can include it in your agent deployment scripts. For more on deployment scripts, see Use deployment scripts to add and protect computers.

Follow the instructions that correspond to the type of installer file you want to check.

Check the signature on an EXE or MSI file

  1. Right-click the EXE or MSI file and select Properties.
  2. Click the Digital Signatures tab to check the signature.

Check the signature on an RPM file

Check the signature on a DEB file