Search

Verify the RPM installation with the Contrast GPG key

  • Updated
 

Objective

If you retrieve the Contrast Java agent from our RPM repo, you may want to verify that the download is signed by Contrast. The following steps show how to obtain the Contrast GPG key and use it to verify that the downloaded agent is correctly signed.

Process

1. Download the Contrast GPG key with the following command:

curl "https://keyserver.ubuntu.com/pks/lookup?search=0x34D84B137E8F1053&fingerprint=on&op=get" -o pgpkey.asc

2. Next, we'll need to import the key to RPM:

sudo rpm --import gpgkey.asc

3. Use the following commands to configure your system to retrieve packages from the Contrast RPM repository:

OSREL=$(rpmquery -E "%{rhel}") 
sudo -E tee /etc/yum.repos.d/contrast.repo << EOF 
[contrast] 
name=contrast repo 
baseurl=https://pkg.contrastsecurity.com/rpm-public/centos-$OSREL/ 
gpgcheck=1 
enabled=1 
EOF

Setting gpgcheck=1 ensures that any downloads from the Contrast RPM repository will be verified with the GPG key.

4. Install the Contrasts Java agent from RPM:

sudo yum install contrast-java-agent

Once run, you'll see the following output:

sudo yum install contrast-java-agent
Loaded plugins: fastestmirror, ovl
Determining fastest mirrors
 * base: mirror.umd.edu
 * extras: centos.mirror.constant.com
 * updates: mirror.umd.edu
base                                                       | 3.6 kB  00:00:00
contrast                                                   | 1.4 kB  00:00:00
extras                                                     | 2.9 kB  00:00:00
updates                                                    | 2.9 kB  00:00:00
(1/5): extras/7/x86_64/primary_db                          | 225 kB  00:00:00
(2/5): base/7/x86_64/group_gz                              | 153 kB  00:00:00
(3/5): contrast/primary                                    |  38 kB  00:00:00
(4/5): base/7/x86_64/primary_db                            | 6.1 MB  00:00:03
(5/5): updates/7/x86_64/primary_db                         | 5.7 MB  00:00:05
contrast                                                              237/237
Resolving Dependencies
--> Running transaction check
---> Package contrast-java-agent.noarch 0:3.8.2.19027-1.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================
 Package                 Arch       Version               Repository   Size
=============================================================================
Installing:
 contrast-java-agent     noarch     3.8.2.19027-1.el7     contrast     9.0 M
Transaction Summary
=============================================================================
Install  1 Package
Total download size: 9.0 M
Installed size: 10 M
Is this ok [y/d/N]: y
Downloading packages:
contrast-java-agent-3.8.2.19027-1.el7.noarch.rpm           | 9.0 MB  00:00:07
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : contrast-java-agent-3.8.2.19027-1.el7.noarch               1/1
  Verifying  : contrast-java-agent-3.8.2.19027-1.el7.noarch               1/1
Installed:
  contrast-java-agent.noarch 0:3.8.2.19027-1.el7
Complete!

As no errors were thrown during the Verifying stage, we can be confident that the downloaded Java agent is signed by Contrast.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request