Contact Us Contact Us
United States-English

HP ZCentral Remote Boost Linux Package Verfication
  HP Inc. - Software Depot
Electronic download
Frequently asked questions
Product details & specifications
Overview

This page contains the public key and instructions needed to verify the integrity of HP ZCentral Remote Boost Linux packages. Follow the steps below to ensure that your Linux packages are from HP and have not been manipulated by a third party.

Contents

  1. Public Key Details
  2. Verifying RHEL/CentOS packages
  3. Removing the public key from a RHEL/CentOS system
  4. Verifying Ubuntu packages
  5. Removing the public key from an Ubuntu system

Public Key Details

Verifying RHEL/CentOS packages

Follow the steps below to verify the integrity of HP ZCentral Remote Boost Sender/Receiver install packages on a RHEL/CentOS system.

  1. Download the sender/receiver install package from the HP ZCentral Remote Boost website. Copy the downloaded file (ending in tar.gz) to your local directory and extract the .rpm install file.

  2. Download the public key file using the link in the Public Key Details section. Copy the donwloaded file (GPG-KEY-hpzcentralconnect.tar.gz) to your local directory and extract the public key.

    NOTE: The public key should not have a file extension once fully extracted.

  3. While logged in as root, use the following command to import the public key to the RPM key ring:
    rpm --import GPG-KEY-hpzcentralconnect

  4. Run the rpm --checksig command to verify the signature of the .rpm install package:
    rpm --checksig RPM_INSTALL_PKG
    Example: rpm --checksig rgreceiver-20.2.0.8538-1.x86_64.rpm

  5. If the signature is valid, the console output will look like the following, ending in "OK":
    RPM_INSTALL_PKG: rsa sha1 (md5)pgp md5 OK
    Example: rgreceiver-20.2.0.8538-1.x86_64.rpm: rsa sha1 (md5)pgp md5 OK

  6. If the file does not pass verification, it might have been modified in some way since being released and should not be installed.

Removing the public key from a RHEL/CentOS system

Follow the steps below if you would like to remove the public key from your system.

NOTE: This is not a required step in the package verification process.

  1. Run the command below to output a list of all gpg keys on your system:
    rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'

    Example output:
    gpg-pubkey-a123b45c-de678fg9 gpg(HP ZCentral Connect <hpss-admin@hp.com>)

  2. Find the key ID for the "HP ZCentral Connect" key in the console output. The key ID will start with gpg-pubkey.

  3. While logged in as root, run the following command, replacing keyId with the key ID found above. This will remove the key.
    rpm -e keyId

Verifying Ubuntu packages

Follow the steps below to verify the integrity of HP ZCentral Remote Boost Sender/Receiver install packages on an Ubuntu system.

  1. Download the sender/receiver install package from the HP ZCentral Remote Boost website. Copy the downloaded file (ending in tar.gz) to your local directory. Extract the install file (ex: rg_install_receiver_deb.tar.gz) and corresponding signature file (ex: rg_install_receiver_deb.tar.gz.asc).

  2. Download the public key file using the link in the Public Key Details section. Copy the downloaded file (GPG-KEY-hpzcentralconnect.tar.gz) to your local directory and extract the public key.

    NOTE: The public key should not have a file extension once fully extracted.

  3. Use the following command to import the public key to the GPG key:
    gpg --import GPG-KEY-hpzcentralconnect

  4. Use the gpg --verify command to verify the integrity of the install package. Pass both the install package and the corresponding signature file (ending in .asc) into the command:
    gpg --verify SIGNATURE_FILE INSTALL_FILE
    Example: gpg --verify rg_install_receiver_deb.tar.gz.asc rg_install_receiver_deb.tar.gz

  5. Console output if the signature is valid:
    gpg: Signature made XXX XX XXX 2020 XX:XX:XX XX MST using RSA key ID E19851F0
    gpg: Good signature from "HP ZCentral Connect <hpss-admin@hp.com>"

  6. If the level of trust on the key has not been set, you may see a trust level warning:
    gpg: WARNING: This key is not certified with a trusted signature!
    There is no indication that the signature belongs to the owner.

    Because the key has been downloaded from an HP site, and the site is SSL secured by HP, you can trust that the key is from HP. To remove this warning, you will need to set the level of trust on the key using the following commands:
    gpg --list-keys (Returns a list of all gpg keys on your system. Use this to get the KEY_ID)
    gpg --edit-key KEY_ID
    gpg> trust
    gpg> 5 (sets the level of trust)
    gpg> quit

Removing the public key from an Ubuntu system

Follow the steps below if you would like to remove the public key from your system.

NOTE: This is not a required step in the package verification process.

  1. Run the command below to output a list of all gpg keys on your system:
    gpg --list-keys

  2. Find the key ID for the HP ZCentral Connect key in the console output. Run the command below, replacing KEY_ID with the name of the key:
    gpg --delete-key KEY_ID
 
Additional product information
Product #: HPZCRB-LS
Version: 1.0
Software specification:
//