Rocket Software’s New Code Signing Solution
Author: Frank Ghijsens, Uniface Senior Software Developer, fghijsens@rocketsoftware.com
Rocket Software has transitioned from GaraSign to an in-house code signing solution for securing its distributions.
What is Code Signing and Why Does It Matter?
Imagine you are receiving a software package. How can you be sure it's really from the company that claims to have sent it? And more importantly, how do you know it hasn't been tampered with or infected with a virus along the way?
This is where code signing comes in.
Code signing is the digital equivalent of putting a tamper-evident seal on a physical product. It provides two key guarantees:
1. Authenticity: It proves that the software was created by a specific publisher.
2. Integrity: It confirms that the software has not been altered or corrupted since it was signed.
When you download or run signed software, your operating system or application checks this digital seal. If the seal is intact and from a trusted publisher, you can proceed with confidence. If it's broken or from an unknown source, you'll receive a security warning.
Why Are We Transitioning?
Rocket Software has transitioned from GaraSign, a SaaS-based security orchestration platform, to its own in-house code signing solution.
The new solution provides Rocket Software with greater control over maintenance and future enhancements, while standardizing the code signing process across workflows to ensure uninterrupted operations.
This blog will guide you through the changes in verifying signed distributions and patches.
What Has Changed?
Starting with Rocket Uniface version 10.4.03-033, all distributions (edist and patch) for supported platforms will be securely signed using the internal code signing infrastructure.
- Signature File
The detached signature file has the same name as the distribution but only with a .sigx extension instead of the former .sig extension.
| slifuf100403.tar | edist | lif | slifuf100403.sigx |
| uf10403-<patchnumber>lif.tar | patch | lif | uf10403-<patchnumber>lif.sigx |
- Rocket Software Public key
The public key file changed from rocket_b26.pem.pub.key to Rocket-Publisher.pub.pem.
Rocket Software public key is located next to the distributions and can be downloaded from https://my.rocketsoftware.com/RocketCommunity/s/downloads?c__downloadCategory=Uniface.
- Authenticity and Integrity
Navigate to the directory containing the public key, signature, and Rocket Uniface distribution (assuming you’ve downloaded all files into the same folder) in a command prompt, terminal or PowerShell window.
Verify the authenticity and integrity of the Uniface distribution as of 10.4.03-033 by using the following `openssl` command:
For edist:
openssl dgst -sha256 -verify Rocket-Publisher.pub.pem -signature slifuf100403.sigx slifuf100403.tar
For patch:
openssl dgst -sha256 -verify Rocket-Publisher.pub.pem -signature uf10403-<patchnumber>lif.sigx uf10403-<patchnumber>lif.tar
Distributions 10.4.03-000 till 10.4.03-032 continue to be verified by using:
For edist:
openssl dgst -verify rocket_b26.pem.pub.key -keyform PEM -sha256 -signature slifuf100403.sig -binary slifuf100403.tar
For patch:
openssl dgst -verify rocket_b26.pem.pub.key -keyform PEM -sha256 -signature uf10403-<patchnumber>lif.sig -binary uf10403-<patchnumber>lif.tar
On success the output will be:
Verified OK
On failure the output will be:
Verification Failure
A full explanation of the verification procedure is described in the readme_integrity_verification.txt located next to the distributions, found here.
Note: The verification process remains unchanged for Windows and iSeries platforms.
The Rocket Uniface team is continuously striving to make your application more secure by implementing modern software development solutions.
