by Rishi Kanhaisingh
With cyber threats becoming more advanced, making sure software is secure and trustworthy is more important than ever. Code signing helps by acting like a digital stamp of approval. For end-users, it means they can feel confident that the software they download is safe and hasn’t been tampered with. IT professionals also rely on it to protect their systems making sure updates and installations are secure and approved. Without code signing, the danger of installing harmful software increases, which can lead to data breaches, system problems and financial losses.
Starting from Rocket Uniface 10.4.03-000, distributions (edist and patch) for all supported platforms will be securely code signed by Rocket Software using GaraSign.
This blog will guide you through the process of verifying signed distributions.
What is code signing?
Code signing is a process used to digitally sign applications, drivers, executables, and software programs to verify its authenticity and integrity.
Why is code signing important?
The signed distribution combines a Cryptographic Token and Rocket Software Certificate that you can verify before installing Uniface. With code distributions, you can ensure that Rocket Software is the author of Uniface and proves that the code has not been altered or tampered with after it was signed.
GaraSign solution
Rocket Software has chosen the SaaS-based security orchestration platform GaraSign as our secure code signing solution. This facilitates centralized control of the code signing process across all Rocket Software products ensuring that existing processes and workflows can continue to operate without interruption.
The below image shows the GaraSign components within Rocket Software:
1. GaraSign signing clients
All products across Rocket Software have integrated their signing tool to locally hash data and offload signature generation to the GaraSign Server.
2. GaraSign signing server
This is the centralized REST server that sits in front of the cryptographic tokens that store the signing keys.
3. Cryptographic Token
The cryptographic device(s) that store the signing keys (usually one or more HSMs).
How to verify signatures?
Both the Windows and iSeries distributions include an embedded signature, while the Linux/Unix distributions have a detached signature. The distinction between embedded and detached signatures lies in where the digital signature is stored in relation to the data being signed:
-
Embedded signatures are included within the data itself and becomes part of the signed file.
-
Detached signatures are stored separately from the data it signs. The signature comes as a separate .sig file and remains independent from the data.
2. How to verify detached signatures
You’ll need to take additional steps required, as the signature is stored in a separate file.
2.1 Distribution and signature file
The detached signature file has the same name as the distribution but with a .sig extension.
|
Filename |
Type |
Code |
Signature |
|
slifuf100403.tar |
edist |
lif |
slifuf100403.sig |
|
uf10403-<patchnumber>lif.tar |
patch |
lif |
uf10403-<patchnumber>lif.sig |
2.2 Prerequisites
2.2.1 OpenSSL
Ensure that OpenSSL has been installed on your system. You can check this on the command line by running:
openssl version
For Windows systems, Rocket Uniface is shipped with openssl.exe, which you can invoke from a command line prompt by navigating to the common/bin folder in the Rocket Uniface installation folder.
For other operating systems, follow the instructions online to install OpenSSL.
2.2.2 Rocket Uniface distribution
To verify the authenticity and integrity of either the Rocket Uniface edist or patch:
You can download distributions from: https://my.rocketsoftware.com/RocketCommunity/s/downloads?c__downloadCategory=Uniface
2.2.3 Rocket Software Public key
You should have the Rocket Software public key: rocket_b26.pem.pub.key, which is used to verify the signature.
The Rocket Software public key is located next to the distributions. You can download it from:
2.2.4 Rocket Software signature file
You need the detached Rocket Software signature file that was generated when the Uniface distribution was signed by GaraSign.
The Rocket Software signature file is located next to the distributions. You can download it from: https://my.rocketsoftware.com/RocketCommunity/s/downloads?c__downloadCategory=Uniface
2.3 Verify authenticity and integrity distribution
Navigate to the directory containing the public key, signature, and Rocket Uniface distribution (assuming you’ve downloaded all files into the same folder) in a command prompt, terminal or PowerShell window.
Verify the authenticity and integrity of the Uniface distribution by using the following `openssl` command:
For edist
openssl dgst -verify rocket_b26.pem.pub.key -keyform PEM -sha256 -signature slifuf100403.sig -binary slifuf100403.tar
For patch
openssl dgst -verify rocket_b26.pem.pub.key -keyform PEM -sha256 -signature uf10403-<patchnumber>lif.sig -binary uf10403-<patchnumber>lif.tar
On success the output will be:
Verified OK
On failure the output will be:
Verification Failure
A full explanation of the verification procedure is described in the readme_garasign.txt located next to the distributions. You can download it from:
https://my.rocketsoftware.com/RocketCommunity/s/downloads?c__downloadCategory=Uniface
The Rocket Uniface team is continuously striving to make your application more secure by implementing modern software development solutions such as GaraSign.
Author: Uniface Senior Software Developer, Rishi Kanhaisingh, rkanhaisingh@rocketsoftware.com
#tofp
#tofp
