Digital signature for installers
Starting with version 24.2, the individual component installers for TrueSight Server Automation are now digitally signed. Previously, the Windows installers were digitally signed by using BMC's signer certificate. However, from version 24.2 onwards, the UNIX installers are also digitally signed.
UNIX installers are digitally signed using the GPG software that implements the OpenPGP standard. For more information, see the GnuPG website.
GPG key and signature
The GPG digital signature uses a private/public key pair. The private key is used for digital signature generation and the public key is used for digital signature verification.
Here are the details of the TrueSight Server Automation Public key:
- Public Key ID: 575580E8543C219A
- Public Key Fingerprint: 106A0E83E7DBAAA047E91E86575580E8543C219A
- Sub Key ID: 350D91381185392B
- User ID: TSSA Build Admins <tssabldadmins@bmc.com>
The command gpg --show-keys --keyid-format=long ./tssa-public.gpg yields the following output:
106A0E83E7DBAAA047E91E86575580E8543C219A
uid TSSA Build Admins <tssabldadmins@bmc.com>
sub rsa4096/350D91381185392B 2024-01-25 [S]
GPG signatures are generated for various UNIX installers. These signatures are packaged with the UNIX installers inside different UPI component zip files. The UPI component zips also include the GPG Public key and verification script.
For a comprehensive list detailing the availability of digital signature files for each component, see Installation-programs-for-TrueSight-Server-Automation.
GPG signature verification
Two types of GPG signatures are packaged with the installers. These types are detached signatures and embedded signatures. Detached signatures are available for all the installers. Embedded signatures are available for the file types that support such signatures. To verify the signature, you first need to import the signature and then perform the procedure outlined, later depending on the type of signature.
GPG keys are configured on TrueSight Server Automation build infrastructure and the GPG public key is sent to the GPG key server. The public key can be searched on the GPG key server.
Importing GPG signature
The public GPG Key of the signer must be imported into the GPG keyring. There are two ways to import the public GPG key, use one or the other:
Import from the file
If you've already received the public GPG key file from an authentic source, you can import the key into your GPG keyring using this key file. This method is especially helpful when the server doesn't have internet access or keyserver connectivity. The following code sample provides an example of importing the GPG Public key from GPG public key file tssa-public.gpg:[root@clm-pun-unbalo rscd]# gpg --show-keys --keyid-format=long ./tssa-public.gpg
pub rsa4096/575580E8543C219A 2024-01-25 [SC]
106A0E83E7DBAAA047E91E86575580E8543C219A
uid TSSA Build Admins <tssabldadmins@bmc.com>
sub rsa4096/350D91381185392B 2024-01-25 [S]
[root@clm-pun-unbalo rscd]# gpg --import ./tssa-public.gpg
gpg: key 575580E8543C219A: public key "TSSA Build Admins <tssabldadmins@bmc.com>" imported
gpg: Total number processed: 1
gpg: imported: 1Import from the key server
You can also import the GPG public key directly from the key server since they are published by the key owner on the open/public GPG key server. The following code sample provides an example of importing the GPG key from the key server:[root@clm-pun-unbalo rscd]# gpg --keyserver keyserver.ubuntu.com --receive-keys 575580e8543c219a
gpg: key 575580E8543C219A: public key "TSSA Build Admins <tssabldadmins@bmc.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
[root@clm-pun-unbalo rscd]# gpg --list-keys --keyid-format=long
/root/.gnupg/pubring.kbx
------------------------
pub rsa4096/575580E8543C219A 2024-01-25 [SC]
106A0E83E7DBAAA047E91E86575580E8543C219A
uid [ unknown] TSSA Build Admins <tssabldadmins@bmc.com>
sub rsa4096/350D91381185392B 2024-01-25 [S]
Verifying GPG signature
Once the public GPG key is available in the GPG keyring, verify the signature using the signature file and the original file to be verified. The procedure to verify the signature will vary depending on the type of signature you are verifying.
Verifying detached signature
Detached signature is a separate file containing the digital signature of the original file. Detached signatures are generated for all shell based installers and native installers like rpm, deb, etc.
The following example verifies test.txt file using it's detached signature file test.txt.asc. Note that the file extension for the detached signature file is <original_file_name>.asc. The "Good signature from ...." signifies that the signature matches the file content.[root@clm-pun-unbalo tmp]# gpg --verify test.txt.asc test.txt
gpg: Signature made Mon 01 Apr 2024 01:30:19 AM EDT
gpg: using RSA key B6BAC6539C67E6479CA98CC6350D91381185392B
gpg: issuer "tssabldadmins@bmc.com"
gpg: Good signature from "TSSA Build Admins <tssabldadmins@bmc.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 106A 0E83 E7DB AAA0 47E9 1E86 5755 80E8 543C 219A
Subkey fingerprint: B6BA C653 9C67 E647 9CA9 8CC6 350D 9138 1185 392B
[root@clm-pun-unbalo tmp]# echo $?
0- Verifying embedded signature
An embedded signature is a digital signature embeded within the file header itself. This type of signature can only be generated if the native file format supports it. TrueSight Server Automation supports the RPM native package type for Linux and the DEB native package type for Ubuntu/Debian operating systems.
- Verifying RPM package
- Import the public GPG key into the RPM keyring.
If you've already received the public GPG key file from an authentic source, use it to import the key in the rpm keyring. See the following example:
[root@clm-pun-unbalo rscd]# gpg --show-keys --keyid-format=short ./tssa-public.gpg
pub rsa4096/543C219A 2024-01-25 [SC]
106A0E83E7DBAAA047E91E86575580E8543C219A
uid TSSA Build Admins <tssabldadmins@bmc.com>
sub rsa4096/1185392B 2024-01-25 [S]
[root@clm-pun-unbalo rscd]# rpm --import ./tssa-public.gpg
[root@clm-pun-unbalo rscd]# echo $?
0
[root@clm-pun-unbalo rscd]# rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
gpg-pubkey-fd431d51-4ae0493b --> gpg(Red Hat, Inc. (release key 2) <security@redhat.com>)
gpg-pubkey-d4082792-5b32db75 --> gpg(Red Hat, Inc. (auxiliary key) <security@redhat.com>)
gpg-pubkey-543c219a-65b2360a --> gpg(TSSA Build Admins <tssabldadmins@bmc.com>)
[root@clm-pun-unbalo rscd]# rpm -qi gpg-pubkey-543c219a-65b2360a
Name : gpg-pubkey
Version : 543c219a
Release : 65b2360a
Architecture: (none)
Install Date: Mon 01 Apr 2024 09:40:52 AM EDT
Group : Public Keys
Size : 0
License : pubkey
Signature : (none)
Source RPM : (none)
Build Date : Thu 25 Jan 2024 05:20:58 AM EST
Build Host : localhost
Relocations : (not relocatable)
Packager : TSSA Build Admins <tssabldadmins@bmc.com>
Summary : gpg(TSSA Build Admins <tssabldadmins@bmc.com>)
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.14.3 (NSS-3)
mQINBGWyNgoBEACbDfzPuvq1JP4e55cjM4PAsOvSbEXXaxMRvgzg/6jQhMEQSMc/
HaaWzFc9DybbA9UhxZqiLhonsL9ef7n3bw2F3sDlfVrn8EYjar8OXmP9sW9rRWaF
tIJhPb5sq/0UoqdljEyJrZocIux4hSfn/V5jm2gtORRC839zWLke7gNojM2EK0Vv
o5wQEsSvLHGZ/Cn2bybaT1b1bhAWFWkXP3Oa2OOAhm19byjXTLlPprex8x86kBfC
vf73xJ9Y4ajbIkqgumF60iWEjqxaR/TWfhtLRSzjQCIGg+i6wHTLDz7CnEMG7r+I
fIfdZA/L69rxKC+jIDT6b3SVlFQ0Og+0ss7I1tPOgD0VuxBHjXVabjhMUMp0Mcwg
eh4+JO04lGOwHNt6K3xvbfbrHH/7tzPaER6JZiAnkJQTWH3nVFwyIr+LQzK00sQm
Bt/hqKmGQuUN/tI8IxyFy57eLMgr0hAfqh+kYLJjGteqaXK4Xf8kAd5bZO7FYJMh
69cuXQgZk7R+pPZZGHDTaLtWUyISv6epNJNTUWkauCQNpCPZsDXV6bh2F09fz+0S
S2NA5BWzGkn/jDSF/MDb3BZYItBfO7lMWfzgzLIs3a0NUyGWUAvBuWj2jTVirjBE
UQ0MlmvzBRkAb5pl2FwF744cVS5lFNJZc2YjHtHYKvvs4ef0aeH80hs1zwARAQAB
tClUU1NBIEJ1aWxkIEFkbWlucyA8dHNzYWJsZGFkbWluc0BibWMuY29tPokCTgQT
AQgAOBYhBBBqDoPn26qgR+kehldVgOhUPCGaBQJlsjYKAhsDBQsJCAcCBhUKCQgL
AgQWAgMBAh4BAheAAAoJEFdVgOhUPCGa16sP/2wicML6rvPA0jYZjcTjNMWSnzKA
1yKDfQqF1gjtg45oHMqFq55P2ASwnu0vNvRTC4DB7OVT4YYGVImuMmh7ZB2nxl47
xh5CFMN+W1zKTG7nBTy+qKK0YWJYVnF2tbdFgDPrj31hz9Wl1RTyafmUgZ2jblF/
aJCeSfZokFl724lIpXmz18NAQ0Na02ca7xMpmgWCVLgczDbBT4CCRDOPr4CyAQdJ
v5/NfBkzFC9hDf2D07M6H3GPz8ikkBGOFgzJ6JX6Nt06zzyeZ2A6zvIEGPE8L02P
nWJbUoFbI2SYGx9XUI6cduhuC0XDvfM/YfUWsXVYhhwaSOYlS5rCfmbjIpWvLaRn
BXN4DJzi5HryOvTHfVobreUvaVam/QL7GRRBXrweLavnO0dtKperKch7zROKMFY+
vP7FyI1HdC/4tczJizZuWlGqIKgovi16YayuBljOrwGQzpJXjOaFxqAl+TzOb++5
kpAs9gVBewLFcBwGpLxZdOZ80PWT1VyW1yfhOjttUo1sNdrVNPYT34rM2LlIm0dV
dnYPx9FeOplrNDft1gop+eGBuTLwmyviTRCbKiCzudwmu/BH24cnpt+TIwj81VA7
moPOe9/sz07gnwlstHKYfOmwaEIdDMiRs7IHpnbjqyaHQKFARdCf3zvc0FjT0WaK
z93PgqMuruhpxHqwuQINBGWyNgoBEADQCkXBTrFiBJdoYYS9HZTv8FiK2sHz7dhJ
LYHYSpYGImkfyB+YeQtuuBtXE2WYRH8h7aBRlwYiXSqnhtvgdOfoeixhLQ00W9vL
q9COKVrWnX0QmrEgiiZcLvd8WTl+Cceg1poCGcQPDkROaZFMa5gMxPpBYFFX61wh
nTuxCspU6FVC1+/sqRJs90zkzltMYzu46JT+37SOP4VzxFREWe8e4AcvAsIVRll0
JOP/k6sJv0sE/b0+n35NsN+oMwfumVKb126nUV/MEZN7PKMA7HynoYGjCsIDI8eu
uCXqYBmtBShdqFz904t2uhuE9R65d3ZW1o6cQf+B6hgvyE2h8UqYoNS4GQEz/aRF
aQ+WJvZkNDDf7xFUn+AztaU8ZlvZ43EQpbZNWDwGcGF2VX15ucjhrhIye1Xt/wjw
Uzlk6D05olaUyTxRU+6RfrCm5Dml+S4Tbtbpjyg3ey6F8lgz3v9cDw2KurQmbrsc
56rst67UbVDVQls2DM/k9iHDvW5LGNtOiQFp20r/Uy+z3nX8nGSWJtkj3pJELSHG
LrKsY3NoV+G2QunNw9fBs2VXdyhHaDd3w+gij8gUHf/YTXHZKKd2WXjOhj9Q7MdA
2cDEvZEFPU63/PvUpDZh1EwBqStSQLY/S9Zh1VDhH2kl5aBYVkPC8n/37h0G7//m
gFdL73kjEQARAQABiQRsBBgBCAAgFiEEEGoOg+fbqqBH6R6GV1WA6FQ8IZoFAmWy
NgoCGwICQAkQV1WA6FQ8IZrBdCAEGQEIAB0WIQS2usZTnGfmR5ypjMY1DZE4EYU5
KwUCZbI2CgAKCRA1DZE4EYU5K5p0D/9bolWCZha5YUy97YljlgNa/QoYqNnR1EBW
gcZ7ZcdV1EADchKT5YphYnqiIhoAxkBw58n142/ww7xRtorbMUdMirELAZiU4Iuu
sY/L92VoJCk9avprsDUWh5aRuKdPhcu9qX91P359BGBdwET4yVplRBG+SznRMHlV
L73PGOMh+IRX6tftDyVYgQ8x2qsK0kM7yB6H+pPj3mrCiTgC+be/SEWFFlTdTS1D
SrT7421MOKVZl8Y236LGPiTN71coNCOkYuGS2fR4mWAe26UgDMLInazoLaC8iRvO
Xd9dv8A/ljAcSIjUZf/WgjeNgJ6KeT1x8Hirl69BjLgqsOWRU2o7FioFZvC0Z2lM
MOXYoXFrFADH/E2v38IKPoEyjDO3LDRIRMZHEkj5sAMwMsRzs3a3jctxqnOPdegd
jT1/fb2eYLf/As9FOLZfWL74aQK6+JbHg1uXn23xU+zqkXqpGIiOExnv3mHdkze2
hRpkVmudG2cER90hAFlG0IYAlkUZ9cC6O6GBbviN2m4z6nh8rQzQ1HaoFGN2AN19
UPjJnLlzY6PBKf/e3/QUjRGzpwy1I8Py4CmOF2zkFK80tEqEQIh/MRQWWfzLivw5
R4OpwygrhImgNvMwwDq36RX3dH5N/1J122+wdjsSMJWy2pokTGOqzS+NTVvElAES
c7MuFHT2ZFSXD/94axpLTuvMn9wVwmWhYD9cMIfU6WJZLbzoJ6td0GkFGPzGB9z0
DJrEqxiNZ7IjAdM1p55Kmh1ZWWVU8mVpTSTgCn9p4gIHS19WjwnFktlRiiSbO847
dou+n9P4YZMsPQzKNSNmWBna2FlmzyYQ7JrDHFdrnVxPc+vDL4j4hArdBbWr6LJ0
qbBES1SxHjzyz4vekBm4POAmrXwc5p4fpoOWfGE4Hreth/+OE93VMs6ZP9gJ0VVI
mkKgNsBwaLkfjsSRRMZ72aAz4fTYvygOnyNCm0Mez2MauHlAf4YaICChWG973TjF
gAu36YMY9xissv7wzlh20nhgG/J6+7F9mrl0/b9iAubCbd/tG3xGHIfaNF6VUXx8
OaLA3CvpJn8FBaQio+B71i6ulbLTGQwcW4LsQed2AWk9ImFvui5gnsUVtKEtRdUy
tT7kDsVYbqMx38n7a6VMj93PIVZGGFLk/wu6CSl8T9yhhHbSm9XbYajw0dKJl70O
0x6z0FN8dA43y53Pb0jsctD53zPw8stqOse4o4E89yUoCXrZ8vJ660mQIS7UwaQu
VFl7qyIztaSlC0ryjetTwhgftiFlVmE85ky1C5IXJ6o11BTIxDqraZ9VfGWzQcpO
MaT0Fu1GdU/3oxwyXl5V63ZMYOqDkNTXf7TMTCj+IDLq1ih9xo+CugHaOQ==
=RQAl
-----END PGP PUBLIC KEY BLOCK-----You can also import the GPG key directly from the key server. See the following example where we search and import the key from the keyserver and then list the imported key. Note that we need to prefix the key with 0x in the rpm command:
[root@clm-pun-unbalo rscd]# rpm --define="%_hkp_keyserver http://keyserver.ubuntu.com" --import 0x575580e8543c219a
[root@clm-pun-unbalo rscd]# echo $?
0
[root@clm-pun-unbalo rscd]# rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
gpg-pubkey-fd431d51-4ae0493b --> gpg(Red Hat, Inc. (release key 2) <security@redhat.com>)
gpg-pubkey-d4082792-5b32db75 --> gpg(Red Hat, Inc. (auxiliary key) <security@redhat.com>)
gpg-pubkey-543c219a-65b2360a --> gpg(TSSA Build Admins <tssabldadmins@bmc.com>)
Verify the rpm package using the signed file, once the GPG public key is available in the rpm keyring. The following example lists and then verifies the signature of the 1.rpm file. The "digests signatures OK" in the signature verification command (rpm -K) signifies that the signature matches the file content.
[root@clm-pun-unbalo tmp]# rpm -qi 1.rpm | egrep "Signature "
Signature : RSA/SHA256, Mon 01 Apr 2024 01:30:16 AM EDT, Key ID 350d91381185392b
[root@clm-pun-unbalo tmp]# rpm -K 1.rpm
1.rpm: digests signatures OK
- Verifying DEB package
The embedded signature in Debian package is signed using the debsigs utility. To verify this embedded signature, you need to use the respective debsig-verify utility. For more information, see debsigs on the Debian website.
Import the public GPG key into the Debian keyring.
There isn't a direct command to configure public GPG key for debsigs. Instead, we need to manually perform a few steps to configure the public key and also set up the required policy to verify the signature. See the following example:KEY_FINGERPRINT=FB870547CEB411C3A59AAFE32A30E21B087A18B5
# Create a keyrings directory using the key fingerprint
mkdir ~/debsig/keyrings/$KEY_FINGERPRINT
# Touch public key file to force v4 keyring format used by debsigs-verify
touch ~/debsig/keyrings/$KEY_FINGERPRINT/debsig.gpg
# Import public key
gpg --no-default-keyring --keyring ~/debsig/keyrings/$KEY_FINGERPRINT/debsig.gpg --import tssa-public.gpg
# Create the policy directory
mkdir ~/debsig/policies/$KEY_FINGERPRINT
# Create policy - name can be anything but must end in ".pol"
vi ~/debsig/policies/FB870547CEB411C3A59AAFE32A30E21B087A18B5/debsig.pol
# Add below content in above polity file.
<?xml version="1.0"?>
<!DOCTYPE Policy SYSTEM "http://www.debian.org/debsig/1.0/policy.dtd">
<Policy xmlns="https://www.debian.org/debsig/1.0/"> <Origin Name="tssabldadmins@bmc.com" id="FB870547CEB411C3A59AAFE32A30E21B087A18B5" Description="TSSA Build Admins"/> <Selection>
<Required Type="origin" File="debsig.gpg" id="FB870547CEB411C3A59AAFE32A30E21B087A18B5"/>
</Selection> <Verification MinOptional="0">
<Required Type="origin" File="debsig.gpg" id="FB870547CEB411C3A59AAFE32A30E21B087A18B5"/>
</Verification>
</Policy>Verify the deb package
Once the public keys are correctly configured in the debsig keyring, we can verify the signature of a signed .deb file using the following command:bash$ debsig-verify --policies-dir ~/debsig/policies --keyrings-dir ~/debsig/keyrings rscd.deb
debsig: Verified package from ...
bash$
Verifying GPG signatures using the GPG verification script
The UPI component zip file includes the GPG signature, the GPG Public key and the GPG verification script. You can use the GPG verification script to import the provided GPG Public Key and verify the GPG signature of the file. See the following example for importing and verifying GPG signature using the GPG verification script.[root@clm-pun-v3t818 24.2.00.4]# unzip TSSA242-RSCDAgents.zip
Archive: TSSA242-RSCDAgents.zip
creating: rscd/aix/
inflating: rscd/aix/RSCD242-AIX32.bff
inflating: rscd/aix/RSCD242-AIX32.bff.asc
inflating: rscd/CreateDepotSoftwareForAgents.nsh
inflating: rscd/gpg_verify.sh
creating: rscd/hpux/
inflating: rscd/hpux/RSCD242-HPUX11.sh
inflating: rscd/hpux/RSCD242-HPUX11.sh.asc
creating: rscd/linux_32/
inflating: rscd/linux_32/RSCD242-LIN32.rpm
inflating: rscd/linux_32/RSCD242-LIN32.rpm.asc
creating: rscd/linux_64/
inflating: rscd/linux_64/RSCD242-LIN64.rpm
inflating: rscd/linux_64/RSCD242-LIN64.rpm.asc
inflating: rscd/linux_64/RSCD242-LIN64.sh
inflating: rscd/linux_64/RSCD242-LIN64.sh.asc
extracting: rscd/linux_64/nsh-install-defaults
creating: rscd/linux_aarch64/
inflating: rscd/linux_aarch64/RSCD242-LIN-AARCH64.rpm
inflating: rscd/linux_aarch64/RSCD242-LIN-AARCH64.rpm.asc
creating: rscd/linux_ppc64/
inflating: rscd/linux_ppc64/RSCD242-LIN64-PPC.sh
inflating: rscd/linux_ppc64/RSCD242-LIN64-PPC.sh.asc
creating: rscd/solaris10_sparc/
inflating: rscd/solaris10_sparc/RSCD242-SOL10-SPARC-LOCAL
inflating: rscd/solaris10_sparc/RSCD242-SOL10-SPARC-LOCAL.asc
creating: rscd/solaris10_x86/
inflating: rscd/solaris10_x86/RSCD242-SOL10-X86-SPARC-LOCAL
inflating: rscd/solaris10_x86/RSCD242-SOL10-X86-SPARC-LOCAL.asc
inflating: rscd/tssa-public.gpg
creating: rscd/ubuntu_32/
inflating: rscd/ubuntu_32/RSCD242-LIN32.deb
inflating: rscd/ubuntu_32/RSCD242-LIN32.deb.asc
creating: rscd/ubuntu_64/
inflating: rscd/ubuntu_64/RSCD242-LIN64.deb
inflating: rscd/ubuntu_64/RSCD242-LIN64.deb.asc
inflating: rscd/updateExportsFile.sh
creating: rscd/windows_64/
inflating: rscd/windows_64/RSCD242-WIN64.msi
inflating: rscd/windows_64/agent_launcher.bat
[root@clm-pun-v3t818 24.2.00.4]# cd rscd
[root@clm-pun-v3t818 rscd]# ls
aix linux_32 solaris10_sparc ubuntu_64
CreateDepotSoftwareForAgents.nsh linux_64 solaris10_x86 updateExportsFile.sh
gpg_verify.sh linux_aarch64 tssa-public.gpg windows_64
hpux linux_ppc64 ubuntu_32
[root@clm-pun-v3t818 rscd]# sh gpg_verify.sh --help
Usage: sh gpg_verify.sh [--import 'GPG Public key file path']
For gpg signature verification, the required gpg public key must be already
imported in gpg and rpm keyrings.
######### IMPORTING KEYS #########
You can import the gpg public key using one of the following method.
NOTE: You will need root access to import the key.
1. Import from key server:
a. Import into GPG keyring:
gpg --keyserver <Key Server> --receive-keys <KeyID>
e.g. gpg --keyserver keyserver.ubuntu.com --receive-keys 575580E8543C219A
b. Import into RPM keyring:
rpm --define="%_hkp_keyserver <Key Server>" --import 0x<KEYID>
e.g. rpm --define=%_hkp_keyserver http://keyserver.ubuntu.com --import 0x575580E8543C219A
2. Use this script to import the GPG key from /path/to/tssa-public.gpg file
into GPG and RPM keyrings using below command.
sh gpg_verify.sh --import /path/to/tssa-public.gpg
##################################
#### VERIFYING GPG SIGNATURES ####
To verify gpg signatures for required files, use following command.
NOTE: The embedded GPG signature verification of Debian packages needs additional
configurations on the server. So it will be skipped from this verification.
The detached signature of those packages will still be done by following command.
sh gpg_verify.sh
##################################
[root@clm-pun-v3t818 rscd]# sh gpg_verify.sh --import ./tssa-public.gpg
gpg: key 575580E8543C219A: public key "TSSA Build Admins <tssabldadmins@bmc.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
Public key imported successfully in GPG keyring.
Public key imported successfully in RPM keyring.
[root@clm-pun-v3t818 rscd]# sh gpg_verify.sh
Detached signature: ./aix/RSCD242-AIX32.bff: OK
Detached signature: ./hpux/RSCD242-HPUX11.sh: OK
Detached signature: ./linux_32/RSCD242-LIN32.rpm: OK
Detached signature: ./linux_64/RSCD242-LIN64.rpm: OK
Detached signature: ./linux_64/RSCD242-LIN64.sh: OK
Detached signature: ./linux_aarch64/RSCD242-LIN-AARCH64.rpm: OK
Detached signature: ./linux_ppc64/RSCD242-LIN64-PPC.sh: OK
Detached signature: ./solaris10_sparc/RSCD242-SOL10-SPARC-LOCAL: OK
Detached signature: ./solaris10_x86/RSCD242-SOL10-X86-SPARC-LOCAL: OK
Detached signature: ./ubuntu_32/RSCD242-LIN32.deb: OK
Detached signature: ./ubuntu_64/RSCD242-LIN64.deb: OK
Embedded signature: ./linux_32/RSCD242-LIN32.rpm: OK
Embedded signature: ./linux_64/RSCD242-LIN64.rpm: OK
Embedded signature: ./linux_aarch64/RSCD242-LIN-AARCH64.rpm: OK
[root@clm-pun-v3t818 rscd]# echo $?
0
[root@clm-pun-v3t818 rscd]#
Limitations
TrueSight Server Automation signatures are generated using subkeys. However, there are certain limitations related to signature verification from the operating system utilities, as outlined below:
- RHEL 7 utilizes an older version of rpm that does not support the verification of signatures generated using subkeys.
In Debian, there is a known defect in the GPG signature verification command, which results in verification failure when attempting to verify signatures generated using subkeys. This issue is documented in Debian bug #1059150 on the Debian webpage.
Workaround: In such cases, use the Detached Signature verification method instead of relying on Embedded signature verification.