Verify the RPM installation with the Contrast GPG key

  • Updated


If you retrieve the Contrast Java agent from our RPM repo, you may want to verify that the download is signed by Contrast. The following steps show how to obtain the Contrast GPG key and use it to verify that the downloaded agent is correctly signed.


1. Download the Contrast GPG key with the following command:

curl "" -o gpgkey.asc

2. Next, we'll need to import the key to RPM:

sudo rpm --import gpgkey.asc

3. Use the following commands to configure your system to retrieve packages from the Contrast RPM repository:

OSREL=$(rpmquery -E "%{rhel}") 
sudo -E tee /etc/yum.repos.d/contrast.repo << EOF
name=contrast repo

Setting gpgcheck=1 ensures that any downloads from the Contrast RPM repository will be verified with the GPG key.

4. Install the Contrasts Java agent from RPM:

sudo yum install contrast-java-agent

Once run, you'll see the following output:

sudo yum install contrast-java-agent
Loaded plugins: fastestmirror, ovl
Determining fastest mirrors
* base:
* extras:
* updates:
base | 3.6 kB 00:00:00
contrast | 1.4 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
(1/5): extras/7/x86_64/primary_db | 225 kB 00:00:00
(2/5): base/7/x86_64/group_gz | 153 kB 00:00:00
(3/5): contrast/primary | 38 kB 00:00:00
(4/5): base/7/x86_64/primary_db | 6.1 MB 00:00:03
(5/5): updates/7/x86_64/primary_db | 5.7 MB 00:00:05
contrast 237/237
Resolving Dependencies
--> Running transaction check
---> Package contrast-java-agent.noarch 0: will be installed
--> Finished Dependency Resolution
Dependencies Resolved
Package Arch Version Repository Size
contrast-java-agent noarch contrast 9.0 M
Transaction Summary
Install 1 Package
Total download size: 9.0 M
Installed size: 10 M
Is this ok [y/d/N]: y
Downloading packages:
contrast-java-agent- | 9.0 MB 00:00:07
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : contrast-java-agent- 1/1
Verifying : contrast-java-agent- 1/1
contrast-java-agent.noarch 0:

As no errors were thrown during the Verifying stage, we can be confident that the downloaded Java agent is signed by Contrast.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request