Skip to content
Last update: 2022-06-08

How to download and verify the deb and rpm packages for Sophos Linux Sensor.

Download the installation and content packages

  1. Sign in to Sophos Central.
  2. Go to Protect Devices > Sophos Linux Sensor.

  3. Select one of the following to download the installation package:

    • Download Linux Sensor rpm package
    • Download Linux Sensor deb package

  4. Select one of the following to download the content package:

    • Download Linux Sensor Content rpm package
    • Download Linux Sensor Content deb package

Verify the packages

Once you've downloaded the installation package, it's recommended to verify the package signatures before installing. To verify the installation package, do the following:

  1. Sign in to Sophos Central.
  2. Go to Protect Devices > Sophos Linux Sensor.
  3. Click Verify the integrity of the install package to view the fingerprint of Sophos' PGP public signing key.
  4. Save the fingerprint as a local file on your Linux system.

  1. To import your public key, run the following command:

    sudo rpm --import <path to GPG file>

  2. To verify the rpm package, run the following command:

    sudo rpm -K <path to rpm package>

    If successful, you should see the following message:

    <rpm File>: digests SIGNATURES OK

Verification of .deb package files requires debsig-verify to be installed on the system. See debsig-verify.

  1. Create a keyring directory for the public key. The keyring directory is named after the fingerprint of the Sophos GPG key. Run the following command:

    mkdir /usr/share/debsig/keyrings/<fingerprint>/

  2. Create a keyring file and import the Sophos GPG public key. The name doesn't matter.

    gpg --no-default-keyring \ 
  --keyring /usr/share/debsig/keyrings/<fingerprint>/<keychain name>.gpg \ 
  --import <path to GPG file>

  3. Create a directory to house the policy file using the fingerprint of the Sophos GPG key. Run the following command:

    mkdir /etc/debsig/policies/<fingerprint>/

    Warning

    The directory must be named after the GPG key fingerprint.

  4. Create a file with a .pol extension in the /etc/debsig/policies/<fingerprint>/ directory. The name doesn't matter so long as it has a .pol extension and the directory name is the same as the fingerprint of the Sophos GPG key.

  5. Enter the following xml data in the newly-created .pol file. 

    <?xml version="1.0"?>
<!DOCTYPE Policy SYSTEM "http://www.debian.org/debsig/1.0/policy.dtd">
<Policy xmlns="http://www.debian.org/debsig/1.0/">

 <Origin Name="test" id="<fingerprint>" Description="Test package"/>

 <Selection>
  <Required Type="origin" File="<keychain name>.gpg" id="<fingerprint>"/>
 </Selection>

  <Verification MinOptional="0">
    <Required Type="origin" File="<keychain name>.gpg" id="<fingerprint>"/>
  </Verification>
</Policy>

  6. To verify the .deb package, run the following command:

    debsig-verify <path to .deb file>

    If verification is successful, you will see the following message:

    debsig: Verified package from `Test package' (test)

Sophos Linux Sensor is now ready to be installed.

More information

Back to top