Signing of Linux RPM packages

IT Asset Management version 2018 R2
Signing of Linux RPM (Red Hat Package Manager) packages gives you an additional layer of security if you are managing your own installation of Linux RPM packages for FlexNet Inventory Agent. Only RPM packages are now signed, with DEB packages unchanged.
Tip: The signing of the Linux packages has no effect on the automated processes of adoption or self-upgrade of FlexNet Inventory Agent. The additional security is beneficial only for third-party technologies, including the native RPM installer on Linux platforms.
Both Linux RPM packages for the FlexNet Inventory Agent (from 13.1.0) are now signed using GPG (GNU Privacy Guard).
  • The private key is stored securely by Flexera.
  • The public key is available from the Product and License Center as a separate download titled Inventory agent 13-1-0+ Linux RPM installer public key.zip. Your company password for the Flexera Customer Community is required to access this download. The fact that the key must be downloaded from a separate, password-protected source gives you some improvement in security.
The one public key can authorize either of the RPM packages for the Linux FlexNet Inventory Agent — one for Linux i386 and one for Linux x86_64. Collecting and importing the public key is a one-time only operation. To download the public key:
  1. Use your browser to log into the Flexera Customer Community. (Your company's password for the Customer Community is required.)
  2. Select the Downloads tab from the row across the top of the page, identify FlexNet Manager Platform in the lists of products, and click the Access Above Products button that is below that product name. The Product and License Center site is displayed.
  3. In the Your Downloads section of the Home page, click the link for FlexNet Manager Platform.
  4. In the Download Packages page, click the link for FlexNet Manager Platform 2018 R2 to access the downloads.
  5. Download Inventory agent 13-1-0+ Linux RPM installer public key.zip, and unzip it to your preferred location on a target device where you want to install the Linux version of FlexNet Inventory Agent.
Once the public key has been downloaded, it may be installed on each target device prior to validating or installing the signed RPM package:
rpm --import pathWhereSaved/RPM-GPG-KEY-FlexeraSoftwareLLC
Tip: If you choose to install a Linux RPM package without the public key in place, a warning is issued. You may choose to ignore the warning, and the installation can continue.
With the public key installed, you can validate the downloaded installation package with the normal RPM command:
rpm -K agentInstallationFile

A result of md5 gpg OK means the signature of the package has been verified, that the package is not corrupt, and that FlexNet Inventory Agent is therefore safe to install and use.

With the public key securely imported into rpm, all future upgrades/installations of the FlexNet Inventory Agent can also be verified against that key.

Additional Information

As noted above, having a signed RPM package has no effect on the automated processes of adoption or self-upgrade of FlexNet Inventory Agent, so that it is not necessary to download and install the public key for our automated processes. If a signed Linux agent is used in these processes when no public key is available, a warning similar to the following is produced:
warning: managesoft-13.1.0-1.i386.rpm: Header V3 DSA/SHA1 Signature, key ID 3eb44861: NOKEY
This warning has no effect on the continuation of the adoption/installation or self-update. If you are troubleshooting, you may find this warning in the adoption log file (/var/tmp/flexera/log/ndinstlr.log), from where it may be uploaded to Discovered Device Properties > Status > Adoption; and for upgrades, the warning may appear in /var/opt/managesoft/log/installation.log — but now you know not to be disturbed by it!

IT Asset Management (Cloud)

Current