Other versions

Signing content XML files

You should develop and test content in your lab environment before distributing it to your production servers. The console import/export XML feature supports this practice.

By default, content imported into the Taniumâ„¢ Server must be signed with a cryptographic key. On the Tanium Server, you maintain the public keys of trusted signers. When you import content, the server checks the signature against its store of public key files. If the check fails, the content is not imported, and the console displays failure messages.

Figure  1:  Errors due to signature verification failure
Note: Content you import as a component of Tanium solutions or Tanium content packs is signed by Tanium. The public key is distributed to the Tanium Server during installation.

Use KeyUtility.exe to sign the XML file

The Tanium installation includes a cryptographic key utility you use to sign content XML files. The command-line utility and associated files are in the top-level installation directory (for example, D:\Program Files\Tanium\Tanium Server). You can run the utility from the installation directory or copy the following files to a working directory:

  • KeyUtility.exe
  • TaniumCryptoLibrary.dll
  • tbbmalloc.dll

To generate the signing keys, use the following command:

KeyUtility.exe makekeys outFile

For example:

KeyUtility.exe makekeys TaniumLab

The utility generates a public and private key pair. The following is an example of a working directory after the keys have been generated:

D:\Tanium\Working>KeyUtility.exe makekeys TaniumLab

D:\Tanium\Working>dir

Directory of D:\Tanium\Working

04/12/2017  10:12 AM    <DIR>          .
04/12/2017  10:12 AM    <DIR>          ..
04/10/2017  02:14 PM            20,435 Example Multicolumn Sensor Windows Registry.xml
03/30/2017  03:56 PM         6,806,440 KeyUtility.exe
03/30/2017  03:33 PM         4,274,600 TaniumCryptoLibrary.dll
04/12/2017  10:12 AM               158 TaniumLab.pub
04/12/2017  10:12 AM               241 TaniumLab.pvk
03/27/2017  10:44 AM           479,232 tbbmalloc.dll
               6 File(s)     11,581,106 bytes
               2 Dir(s)  23,338,901,504 bytes free

Next, use the following command to sign the content XML file:

KeyUtility.exe signcontent TaniumLab.pvk <XMLfile>

For example:

KeyUtility.exe signcontent TaniumLab.pvk "Example Multicolumn Sensor Windows Registry.xml"

The utility appends a signature at the bottom of the XML file. It looks similar to the following:

<!--hash=2a8bc7529c9fcdad037982bcbfc12306aa88ac8b9d95d02248ec369008188b7c0e356ad1811609c7 54eb01dc97c09b9f2acb10331e2d9dbf77d309124c61950a;signature=01AF3D547A97CCBD62A022F398 586DEAD4E29A30C29406283DA2E8F1E9FCF176194D66D4D9602538102F8F2FBBCFBC7AF370DB44E839C04 7253A246447E9A146706F00E94CD26D2CF29D8916E6EE0F21C77F0E13A6769905E5DDC09458912A94BB74 C1311C9B26301DB8D8C73AC043EBC6A5A836FB6815011F1ACB37E0248A30F100B631-->

Copy the content signing public key file to your Tanium servers

Before you import the XML file, copy the public key file to the Tanium Server keys folder. For example, D:\Tanium\Tanium Server\content_public_keys\content.

Figure  2:  Content public keys folder

For more information on KeyUtility.exe and troubleshooting information, see the Tanium Support Knowledge Base article (login required).

Last updated: 5/16/2018 1:12 PM | Feedback