Objective
If you retrieve the Contrast Java agent from our RPM repo, you may want to verify that the download is signed by Contrast. The following steps show how to obtain the Contrast GPG key and use it to verify that the downloaded agent is correctly signed.
Process
1. Download the Contrast GPG key with the following command:
curl "https://keyserver.ubuntu.com/pks/lookup?search=0x34D84B137E8F1053&fingerprint=on&op=get" -o gpgkey.asc
2. Next, we'll need to import the key to RPM:
sudo rpm --import gpgkey.asc
3. Use the following commands to configure your system to retrieve packages from the Contrast RPM repository:
OSREL=$(rpmquery -E "%{rhel}")
sudo -E tee /etc/yum.repos.d/contrast.repo << EOF
[contrast]
name=contrast repo
baseurl=https://pkg.contrastsecurity.com/rpm-public/centos-$OSREL/
gpgcheck=1
enabled=1
EOF
Setting gpgcheck=1
ensures that any downloads from the Contrast RPM repository will be verified with the GPG key.
4. Install the Contrasts Java agent from RPM:
sudo yum install contrast-java-agent
Once run, you'll see the following output:
sudo yum install contrast-java-agent
Loaded plugins: fastestmirror, ovl
Determining fastest mirrors
* base: mirror.umd.edu
* extras: centos.mirror.constant.com
* updates: mirror.umd.edu
base | 3.6 kB 00:00:00
contrast | 1.4 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
(1/5): extras/7/x86_64/primary_db | 225 kB 00:00:00
(2/5): base/7/x86_64/group_gz | 153 kB 00:00:00
(3/5): contrast/primary | 38 kB 00:00:00
(4/5): base/7/x86_64/primary_db | 6.1 MB 00:00:03
(5/5): updates/7/x86_64/primary_db | 5.7 MB 00:00:05
contrast 237/237
Resolving Dependencies
--> Running transaction check
---> Package contrast-java-agent.noarch 0:3.8.2.19027-1.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
contrast-java-agent noarch 3.8.2.19027-1.el7 contrast 9.0 M
Transaction Summary
=============================================================================
Install 1 Package
Total download size: 9.0 M
Installed size: 10 M
Is this ok [y/d/N]: y
Downloading packages:
contrast-java-agent-3.8.2.19027-1.el7.noarch.rpm | 9.0 MB 00:00:07
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : contrast-java-agent-3.8.2.19027-1.el7.noarch 1/1
Verifying : contrast-java-agent-3.8.2.19027-1.el7.noarch 1/1
Installed:
contrast-java-agent.noarch 0:3.8.2.19027-1.el7
Complete!
As no errors were thrown during the Verifying stage, we can be confident that the downloaded Java agent is signed by Contrast.