Unified Automation Release PGP Signatures

All releases are cryptographically signed using OpenPGP-compliant signatures. Everyone is strongly encouraged to verify the integrity of downloaded files by verifying the corresponding signatures. This way you can ensure that the downloaded files have not been corrupted or manipulated.

Basic Concepts

Every release comes with a cryptographic signature signed by security@unifiedautomation.com.

Each website download contains an individual PGP signature (no SHA256 sums).

Our customers’ WebDAV/FTP download shares (Personal Download Area) contain multiple files. Therefore we use a two-step process to verify the the contents of each folder:

  1. The file sha256sums.txt contains the SHA-256 sum (cryptographic hash) for each file in the folder.
  2. This file is cryptographically signed using PGP. This way attackers cannot forge the SHA-256 checksums.

Purpose of the Two Signature Files

  1. sha256sums.txt: This file contains cryptographic checksums of the downloaded files. This can be used to verify that the download was completed and the data was not corrupted. Everybody can create those files using the `sha256sum` tool. This is an integrity check only and says nothing about the origin of the data.
  2. sha256sums.txt.asc: This is a PGP signed version of the sha256sums.txt file. This proofs that Unified Automation is the creator of the sha256sums.txt file and so of all downloaded files which match the contained checksums.

When downloading files from the Unified Automation Website or your personal download area, the connections is protected by HTTPS. It should be sufficient to check only 'sha256sums.txt', there is no need to perform the PGP validation.

When getting the files from a third party (e.g. on CD, USB key, your VCS system, or your company's network share) then you can use PGP to verify that the files are original Unified Automation files and have not been modified.

Required Software

  • sha256sum: For computing and validating SHA-256 checksums
  • GnuPG: The GNU Privacy Guard (https://www.gnupg.org)

Linux users can simply install these tools using the package manager. Depending on your distribution the tools may be already installed.

Windows users can use cygwin (https://www.cygwin.com) which provides Linux tools for Windows. Required packages are:

  • coreutils (includes sha256sum)
  • gnupg

Alternatively, there is a stand-alone Windows versions of Gpg4win: http://gpg4win.org

First-time users of PGP should read https://www.gnupg.org/gph/en/manual/c14.html for getting started.

Install Unified Automation PGP Public Key

To be able to verify a PGP signature you must first install our PGP public key. This key is used to verify the PGP signatures. A signature can only be created using the corresponding PGP private key.

To learn more about the way PGP works, please consult Wikipedia.

 

$ gpg --search security@unifiedautomation.com
gpg: data source: keys.openpgp.org
(1)     Unified Security <security@unifiedautomation.com>
          2048 bit RSA key BDDFD429DEE7DECB, created: 2016-07-27
Keys 1-1 of 1 for "security@unifiedautomation.com".  Enter number(s), N)ext, or Q)uit > 1
gpg: key BDDFD429DEE7DECB: "Unified Security <security@unifiedautomation.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

 

Alternatively: you can search for the public key here: https://keys.openpgp.org/search?q=security@unifiedautomation.com

The next step is to sign the fetched key with your private key to trust our key.

 

$ gpg --sign-key security@unifiedautomation.com
pub 2048R/DEE7DECB
created: 2016-07-27
expires: 2017-07-27
usage: SC
trust: unknown
validity: unknown

sub 2048R/C743BCDA
created: 2016-07-27
expires: 2017-07-27
usage: E [ unknown] (1).

Unified Security <security@unifiedautomation.com>

pub 2048R/DEE7DECB
created: 2016-07-27
expires: 2017-07-27
usage: SC
trust: unknown
validity: unknown

Primary key fingerprint: 59E7 9D70 F9E6 C7BC 9C77 E8E3 BDDF D429 DEE7 DECB

Unified Security <security@unifiedautomation.com> This key is due to expire on 2017-07-27.
Are you sure that you want to sign this key with your key "John Doe <john.doe@example.com>" (5AAC50C4) Really sign? (y/N)
y

You need a passphrase to unlock the secret key for
user: "John Doe <john.doe@example.com>" 1024-bit DSA key, ID 5AAC50C4, created 2003-11-06

 

Updating PGP Keys

The PGP key for security@unifiedautomation.com has set an expiration date, but the key gets renewed every year as long as no security problems (e.g. broken crypto, or lost private key) arise.

To update your local copy of the key use the following command:

 

$ gpg --refresh-keys

 

Verifying the PGP Signature of Website Downloads

For each downloadable file (*.zip, *.tar.gz) we provide a detached signature file (*.sig). Save both in the same folder and use the following command to verify the download.

Example for a UaExpert download:

 

$ ls -l
-rw-rw---- 12 john users  11M Jun 18 14:57 uaexpert-bin-win32-x86-vs2008sp1-v1.3.0-201.exe
-rw-r--r--  1 john users  287 Jul  8 13:58 uaexpert-bin-win32-x86-vs2008sp1-v1.3.0-201.exe.sig
$ gpg --verify uaexpert-bin-win32-x86-vs2008sp1-v1.3.0-201.exe.sig
gpg: Signature made Tue 08 Jul 2014 01:58:48 PM CEST using RSA key ID DEE7DECB
gpg: Good signature from "Unified Security <security@unifiedautomation.com>"

 

Alternatively: you can search for the public key here: https://keys.openpgp.org/search?q=security@unifiedautomation.com

Verifying the PGP Signature of WebDAV/FTP Downloads

The file sha256sums.txt.asc contains a PGP signed version of sha256sums.txt. Using GnuPG decrypt function you can verify the signature and extract the original sha256sums.txt file in one step.

 

$ gpg --decrypt sha256sums.txt.asc > sha256sums.txt
gpg: Signature made Tue 08 Jul 2014 10:55:19 AM CEST using RSA key ID DEE7DECB
gpg: Good signature from "Unified Security "

 

If You Get “BAD Signature”

If at any time you see “BAD signature” output from “gpg --verify”, please check the following first:

  • Make sure that the downloaded file is intact and not truncated or otherwise corrupted.
  • Check whether your FTP client uses binary file transfer mode.

If you repeatedly get the same “BAD signature” output, send an e-mail to support@unifiedautomation.com immediately, so we can investigate the problem.

Verifying SHA-256 Checksums

After you have created a “trusted” sha256sums.txt file (see step “Verifying the PGP signature of WebDAV/FTP downloads” above) you can now verify the checksums of all downloaded files.

 

$ sha256sum -c sha256sums.txt
CHANGELOG.txt: OK
uaexpert-bin-linux32-x86-gcc4.5.1-v1.3.0-201.tar.gz: OK
uaexpert-bin-win32-x86-vs2008sp1-v1.3.0-201.exe: OK

 

You should see “OK” for all files. If one or more files show “FAILED”, this file is corrupted. Please download it again. If you repeatedly get the same “FAILED” output, send an e-mail to support@unifiedautomation.com immediately, so we can investigate the problem.