Qualys Cloud Agent for Linux – GPG Key Update to SHA-256 and SHA-1 Removal

Spencer Brown

Following our move in May 2024 to a FIPS-compliant build for RPM-based operating systems, Qualys continues to enhance security for our Linux users. Starting with Qualys Cloud Agent for Linux version 7.2, targeted for release in March 2025, we are upgrading our Linux RPM GPG signing key to SHA-256, removing support for the SHA-1 key, and giving FIPS-compliant build for DEB-based operating systems. These changes align with industry best practices for security and ensure a higher standard of package integrity verification.

Why Are We Making This Change?

The RPM installer for Qualys Cloud Agent Linux is signed with a GPG key to confirm authenticity and integrity, ensuring the package hasn’t been modified after signing. By replacing the SHA-1 key with SHA-256, we are further strengthening this process. This update will:

  • Eliminate Outdated Cryptography: Removing SHA-1 fully reinforces the security of the Qualys Cloud Agent.
  • Improve Package Integrity Verification: The SHA-256 algorithm offers a more robust defense against tampering.
  • Align with Modern Security Standards: SHA-256 complies with current cryptographic standards.

Important: Impact on Agent Installation and Upgrades

If you have security policies that block installations or upgrades based on outdated or unrecognized GPG keys, agent installs and upgrades will fail if the new SHA-256-based key is not imported. To prevent any disruptions, make sure the new GPG key is imported on all relevant systems before March 2025.

What Happens If You Try to Install or Upgrade Without Importing New GPG Key?

The install or upgrade will fail with the following message:

qualys-cloud-agent.rpm is not installed
Error: GPG check FAILED

What This Means for Customers

If you are currently using the Qualys Cloud Agent for Linux, please update to the new SHA-256 GPG key and remove any dependencies on SHA-1 by March 2025. Follow these steps to prepare:

  1. Download the New GPG Key

Use the following SHA-256 checksum to verify its integrity

da33d3370daa40665a597c801174efaa417c7d19919e82adece9bac09c7e4436
  1. Import the New GPG Key

$ sudo rpm --import qualys_gpg_key.pem

  1. Verify the RPM Package
    Once imported, verify the integrity of your Cloud Agent Linux RPM packages with:

$ sudo rpm -K <cloud-agent-rpm-filename>

  1. Remove the Old SHA-1 Key (if applicable)
    Remove the previous SHA-1 key from your systems to avoid potential conflicts:

$ sudo rpm -e qualys_old_gpg_key

Identifying Affected Assets

To locate assets still using the SHA-1 key, you can use QID 45636 Cloud Agent Linux RPM GPG Signing Key Detected in the Information Gathered section. This QID will help confirm that all systems are updated to the SHA-256 key.

If you have wish to have early access to the SHA-256-only build, please contact your TAM or contact support

Share your Comments

Comments

Your email address will not be published. Required fields are marked *