Check digital signatures on software packages

Import of export a ZIP file following the instructions in Download agent software packages into Deep Security Manager or Export the agent installer.

On import or export, the manager checks the digital signature on the ZIP file. If the signature is good, the manager allows the import or export to proceed. If the signature is bad, or doesn't exist, the manager disallows the action, deletes the ZIP, and logs an event.

File deletion and event log generation require Deep Security Manager build 12.5.752 or later.

1. Log in to Deep Security Manager.
2. Click Administration at the top.
3. On the left, expand Updates > Software > Local.
4. Find the ZIP package whose digital signature you want to check and double-click it. (If it's not there, download it.)
5. The Properties page for the ZIP file opens, and the manager checks the digital signature. If the signature is good, you'll see a green check mark in the Signature field. If the signature is bad, or doesn't exist, the manager deletes the ZIP and logs an event.

   File deletion and event log generation requires Deep Security Manager build 12.5.752 or later.

Use the jarsigner Java utility to check a signature on a ZIP when you can't check it through the manager. For example, let's say you obtained an agent ZIP package from a non-manager source, such as the Deep Security Software page, and then wanted to install the agent manually. In this scenario, you'd use the jarsigner utility since the manager is not involved.

To check a signature using jarsigner:

1. Install the latest Java Development Kit on your computer.
2. Download the ZIP.
3. Use the jarsigner utility within the JDK to check the signature. The command is:

   jarsigner -verify -verbose -certs -strict <ZIP_file>

   Example:

   jarsigner -verify -verbose -certs -strict Agent-RedHat_EL7-11.2.0-124.x86_64.zip

4. Read any errors as well as the content of the certificate to determine if the signature can be trusted.

Install GnuPG on the agent computer where you intend to check the signature, if it is not already installed. This utility includes the GPG command-line tool, which you'll need in order to import the signing key and check the digital signature.

GnuPG is installed by default on most Linux distributions.

1. Look for the 3trend_public.asc file in the root folder of the agent's ZIP file. The ASC file contains a GPG public signing key that you can use to verify the digital signature.
2. (Optional) Verify the SHA-256 hash digest of the ASC file using any hashing utility. The hash is: 

   c59caa810a9dc9f4ecdf5dc44e3d1c8a6342932ca1c9573745ec9f1a82c118d7

3. On the agent computer where you intend to check the signature, import the ASC file. Use this command:

   Commands are case-sensitive.

   gpg --import 3trend_public.asc

   The following messages appear:

   gpg: directory `/home/build/.gnupg' created

   gpg: new configuration file `/home/build/.gnupg/gpg.conf' created

   gpg: WARNING: options in `/home/build/.gnupg/gpg.conf' are not yet active during this run

   gpg: keyring `/home/build/.gnupg/secring.gpg' created

   gpg: keyring `/home/build/.gnupg/pubring.gpg' created

   gpg: /home/build/.gnupg/trustdb.gpg: trustdb created

   gpg: key E1051CBD: public key "Trend Micro (trend linux sign) <alloftrendetscodesign@trendmicro.com>" imported

   gpg: Total number processed: 1

   gpg: imported: 1 (RSA: 1)

4. Export the GPG public signing key from the ASC file:

   gpg --export -a 'Trend Micro' > RPM-GPG-KEY-CodeSign

5. Import the GPG public signing key to the RPM database:

   sudo rpm --import RPM-GPG-KEY-CodeSign

6. Verify that the GPG public signing key has been imported:

   rpm -qa gpg-pubkey*

7. The fingerprints of imported GPG public keys appear. The Trend Micro one is:

   gpg-pubkey-e1051cbd-5b59ac99

   The signing key has now been imported and can be used to check the digital signature on the agent RPM file.

Instead of checking the signature on the RPM file manually, as described below, you can have a deployment script do it. See Use deployment scripts to add and protect computers for details.

Use this command:

rpm -K Agent-PGPCore-<OS agent version>.rpm

Example:

rpm -K Agent-PGPCore-RedHat_EL7-11.0.0-950.x86_64.rpm

Make sure you run the above command on the Agent-PGPCore-<...>.rpm file. (Running it on Agent-Core-<...>.rpm does not work.) If you cannot find the Agent-PGPCore-<...>.rpm file in the agent ZIP, you'll need to use a newer ZIP, specifically:

• Deep Security Agent 11.0 Update 15 or a later update

  or

• Deep Security Agent 12 Update 2 or later

If the signature verification is successful, the following message appears:

Agent-PGPCore-RedHat_EL7-11.0.0-950.x86_64.rpm: rsa sha1 (md5) pgp md5 OK

Install dpkg-sig on the agent computer where you intend to check the signature, if it is not already installed. This utility includes the GPG command-line tool, which you'll need in order to import the signing key and check the digital signature.

1. Look for the 3trend_public.asc file in the root folder of the agent's ZIP file. The ASC file contains a GPG public signing key that you can use to verify the digital signature.
2. (Optional) Verify the SHA-256 hash digest of the ASC file using any hashing utility. The hash is: 

   c59caa810a9dc9f4ecdf5dc44e3d1c8a6342932ca1c9573745ec9f1a82c118d7

3. On the agent computer where you intend to check the signature, import the ASC file to the GPG keyring. Use this command:

   gpg --import 3trend_public.asc

   The following message appears:

   gpg: key E1051CBD: public key "Trend Micro (trend linux sign) <alloftrendetscodesign@trendmicro.com>" imported

   gpg: Total number processed: 1

   gpg: imported: 1 (RSA: 1)

4. (Optional) Display the Trend Micro key information. Use this command:

   gpg --list-keys

   A message similar to the following appears:

   /home/user01/.gnupg/pubring.gpg

   -------------------------------

   pub 2048R/E1051CBD 2018-07-26 [expires: 2021-07-25]

   uid Trend Micro (trend linux sign) <alloftrendetscodesign@trendmicro.com>

   sub 2048R/202C302E 2018-07-26 [expires: 2021-07-25]

Instead of verifying the signature on the DEB file manually, as described below, you can have a deployment script do it. See Use deployment scripts to add and protect computers for details.

Enter this command:

dpkg-sig --verify <agent_deb_file>

where <agent_deb_file> is the name and path of the agent DEB file. For example:

dpkg-sig --verify Agent-Core-Ubuntu_16.04-12.0.0-563.x86_64.deb

A processing message appears:

Processing Agent-Core-Ubuntu_16.04-12.0.0-563.x86_64.deb...

If the signature is verified successfully, the following message appears:

GOODSIG _gpgbuilder CF5EBBC17D8178A7776C1D365B09AD42E1051CBD 1568153778