Check digital signatures on software packages

Before you install Deep Security, you should check the digital signature on the software ZIP packages and installer files to make sure the software hasn't been tampered with.

Topics on this page:

You can also check the signature on the Deep Security modules installed into the agent. See Linux Secure Boot support for agents for details.

Check the signature on software ZIP packages

The ZIP files for the Deep Security Agents, Deep Security Virtual Appliance, and online help are digitally signed using the jarsigner Java utility. The signatures can be verified with the same utility.

To check the signature on the ZIP files:

  1. Make sure you have the latest Java Development Kit installed on the computer where you intend to check the signature.
  2. Download the ZIP to the computer where the JDK is installed.
  3. Use the jarsigner utility within the JDK to check the signature. The command is:

    jarsigner -verify -verbose -certs <ZIP_file>

    Example:

    jarsigner -verify -verbose -certs Agent-RedHat_EL7-11.2.0-124.x86_64.zip

  4. Read any warnings (or errors, if you also included the -strict parameter) as well as the content of the certificate to determine if the signature can be trusted.

    In addition to checking the agent ZIP file, you can also check the agent installer file.

Check the signature on installer files (EXE, MSI, RPM or DEB files)

The installers for the Deep Security Agent, Deep Security Manager, and Deep Security Notifier are digitally signed using RSA. The installer is an EXE or MSI file on Windows, an RPM file on Linux-based operating systems (namely, Amazon, CloudLinux, Oracle, RedHat, and SuSe), or a DEB file on Debian and Ubuntu.

The instructions below describe how to check a digital signature manually. If you'd like to automate this check, you can include it in your agent deployment scripts. For more on deployment scripts, see Use deployment scripts to add and protect computers.

Follow the instructions that correspond to the type of installer file you want to check.

Check the signature on an EXE or MSI file

  1. Right-click the MSI file and select Properties.
  2. Click the Digital Signatures tab to check the signature.

Check the signature on an RPM file

  1. (Optional) Before you begin, check the digital signature on the agent's ZIP file which contains the RPM and supporting files. See Check the signature on software ZIP packages for details.
  2. Find the 3trend_public.asc file. It's located in the root folder of the agent's ZIP file. The ASC file contains a standard GPG signing key that you can use to verify the digital signature.
  3. (Optional) Verify the SHA-256 hash digest of the ASC file using any hashing utility. The hash is:

    c59caa810a9dc9f4ecdf5dc44e3d1c8a6342932ca1c9573745ec9f1a82c118d7

  4. On the computer where you intend to check the signature, import the ASC file. Use this command:

    Commands are case-sensitive.

    gpg --import 3trend_public.asc

    The following messages appear:

    gpg: directory `/home/build/.gnupg' created

    gpg: new configuration file `/home/build/.gnupg/gpg.conf' created

    gpg: WARNING: options in `/home/build/.gnupg/gpg.conf' are not yet active during this run

    gpg: keyring `/home/build/.gnupg/secring.gpg' created

    gpg: keyring `/home/build/.gnupg/pubring.gpg' created

    gpg: /home/build/.gnupg/trustdb.gpg: trustdb created

    gpg: key E1051CBD: public key "Trend Micro (trend linux sign) <alloftrendetscodesign@trendmicro.com>" imported

    gpg: Total number processed: 1

    gpg: imported: 1 (RSA: 1)

  5. Export the public key from the ASC file:

    gpg --export -a 'Trend Micro' > RPM-GPG-KEY-CodeSign

  6. Import the public key to the RPM database:

    sudo rpm --import RPM-GPG-KEY-CodeSign

  7. Verify that the public key has been imported:

    rpm -qa gpg-pubkey*

  8. The fingerprints of imported public keys appear. The Trend Micro one is:

    gpg-pubkey-e1051cbd-5b59ac99

  9. Check the signature on the RPM file:

    rpm -K <agent_rpm_file>

    Example:

    rpm -K Agent-Core-RedHat_EL7-11.2.0-124.x86_64.rpm

  10. If the signature is verified successfully, the following message appears:

    Agent-Core-RedHat_EL7-11.2.0-124.x86_64.rpm: rsa sha1 (md5) pgp md5 OK

Check the signature on a DEB file

  1. (Optional) Before you begin, check the digital signature on the agent's ZIP file which contains the DEB file and supporting files. See Check the signature on software ZIP packages for details.
  2. Find the 3trend_public.asc file. It's located in the root folder of the agent's ZIP file. The ASC file contains a standard GPG signing key that you can use to verify the digital signature.
  3. (Optional) Verify the SHA-256 hash digest of the ASC file using any hashing utility. The hash is:

    c59caa810a9dc9f4ecdf5dc44e3d1c8a6342932ca1c9573745ec9f1a82c118d7

  4. On the computer where you intend to check the signature, import the ASC file. Use this command:

    sudo apt-key add < 3trend_public.asc

    The following message appears:

    OK

  5. Display the fingerprint of the Trend Micro key:

    apt-key fingerprint /etc/apt/trusted.gpg

    The Trend Micro fingerprint is the 40-character string on the second line. In the example below, the fingerprint begins with CF5E:

    pub rsa2048 2018-07-26 [SC] [expires: 2021-07-25]

    CF5E BBC1 7D81 78A7 776C 1D36 5B09 AD42 E105 1CBD

    uid [ unknown] Trend Micro (trend linux sign) <alloftrendetscodesign@trendmicro.com>

    sub rsa2048 2018-07-26 [E] [expires: 2021-07-25]

  6. Copy the fingerprint to a file for later use.
  7. Create a keyring directory. Include the last 16 characters of the Trend Micro fingerprint, without spaces. For example:

    mkdir /usr/share/debsig/keyrings/5B09AD42E1051CBD/

  8. Import the public key to the debsig-verify GPG keyring:

    gpg --no-default-keyring \

        --keyring /usr/share/debsig/keyrings/5B09AD42E1051CBD/<debsig.gpg> \

        --import my-public-key

    where <debsig.gpg> is replaced with any file name you want. These steps assume you used debsig.gpg.

  9. Create a directory for a policy document that includes the Trend Micro 16-character fingerprint in the path:

    mkdir /etc/debsig/policies/5B09AD42E1051CBD/

  10. Create an XML policy document. For example:

    <?xml version="1.0"?>

    <!DOCTYPE Policy SYSTEM "http://www.debian.org/debsig/1.0/policy.dtd">

    <Policy xmlns="http://www.debian.org/debsig/1.0/">

    <Origin Name="DSA" id="5B09AD42E1051CBD" Description="Deep Security Agent Package"/>

    <Selection>

    <Required Type="origin" File="debsig.gpg" id="5B09AD42E1051CBD"/>

    </Selection>

    <Verification MinOptional="0">

    <Required Type="origin" File="debsig.gpg" id="5B09AD42E1051CBD"/>

    </Verification>

    </Policy>

    More policy examples are available in /usr/share/doc/debsig-verify/examples. Instructions on how to create policy documents are available in /usr/share/doc/debsig-verify/policy-syntax.txt.

  11. Save the policy document with a POL file extension. Example:

    debsig-verify.pol

  12. Verify the signature on the DEB file:

    debsig-verify <agent_deb_file>

    Example:

    debsig-verify Agent-Core-Debian_9-11.2.0-122.x86_64.deb

  13. If the signature is verified successfully, the following message appears:

    debsig: Verified package from `Deep Security Agent Package' (DSA)