Unified Automation Release PGP Signatures

All releases are cryptographically signed using OpenPGP-compliant signatures. Everyone is strongly encouraged to verify the integrity of downloaded files by verifying the corresponding signatures. This way you can ensure that the downloaded files have not been corrupted or manipulated.

Basic Concepts

Every release comes with a cryptographic signature signed by admin@unifiedautomation.com.

Each website download contains an individual PGP signature.

Our customers’ WebDAV/FTP download shares (Personal Download Area) contain multiple files. Therefore we use a two-step process to verify the the contents of each folder:

  1. The file sha256sums.txt contains the SHA-256 sum (cryptographic hash) for each file in the folder.
  2. This file is cryptographically signed using PGP. This way attackers cannot forge the SHA-256 checksums.

Required Software

  • sha256sum: For computing and validating SHA-256 checksums
  • GnuPG: The GNU Privacy Guard (https://www.gnupg.org)

Linux users can simply install these tools using the package manager. Depending on your distribution the tools may be already installed.

Windows users can use cygwin (https://www.cygwin.com) which provides Linux tools for Windows. Required packages are:

  • coreutils (includes sha256sum)
  • gnupg

Alternatively, there is a stand-alone Windows versions of Gpg4win: http://gpg4win.org

     

First-time users of PGP should read https://www.gnupg.org/gph/en/manual/c14.html for getting started.

Install Unified Automation PGP Public Key

To be able to verify a PGP signature you must first install our PGP public key. This key is used to verify the PGP signatures. A signature can only be created using the corresponding PGP private key.

To learn more about the way PGP works, please consult Wikipedia.

 

$ gpg --keyserver keys.gnupg.net --recv-keys DEE7DECB
gpg: requesting key DEE7DECB from hkp server keys.gnupg.net
gpg: key DEE7DECB: public key "Unified Security <security@unifiedautomation.com>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

 

The next step is to sign the fetched key with your private key to trust our key.

 

$ gpg --sign-key DEE7DECB


pub 2048R/DEE7DECB created: 2016-07-27 expires: 2017-07-27 usage: SC
trust: unknown validity: unknown
sub 2048R/C743BCDA created: 2016-07-27 expires: 2017-07-27 usage: E
[ unknown] (1). Unified Security <security@unifiedautomation.com>


pub 2048R/DEE7DECB created: 2016-07-27 expires: 2017-07-27 usage: SC
trust: unknown validity: unknown
Primary key fingerprint: 59E7 9D70 F9E6 C7BC 9C77 E8E3 BDDF D429 DEE7 DECB

Unified Security <security@unifiedautomation.com>

This key is due to expire on 2017-07-27.

Are you sure that you want to sign this key with your
key "Gerhard Gappmeier <gerhard.gappmeier@ascolab.com>" (5AAC50C4)

Really sign? (y/N) y

You need a passphrase to unlock the secret key for
user: "Gerhard Gappmeier <gerhard.gappmeier@ascolab.com>"
1024-bit DSA key, ID 5AAC50C4, created 2003-11-06

 

Verifying the PGP Signature of Website Downloads

For each downloadable file (*.zip, *.tar.gz) we provide a detached signature file (*.sig). Save both in the same folder and use the following command to verify the download.

Example for a UaExpert download:

 

$ ls -l
-rw-rw---- 12 gergap users   11M Jun 18 14:57 uaexpert-bin-win32-x86-vs2008sp1-v1.3.0-201.exe
-rw-r--r--  1 gergap gergap  287 Jul  8 13:58 uaexpert-bin-win32-x86-vs2008sp1-v1.3.0-201.exe.sig
$ gpg --verify uaexpert-bin-win32-x86-vs2008sp1-v1.3.0-201.exe.sig
gpg: Signature made Tue 08 Jul 2014 01:58:48 PM CEST using RSA key ID DEE7DECB
gpg: Good signature from "Unified Security <security@unifiedautomation.com>"

 

Verifying the PGP Signature of WebDAV/FTP Downloads

The file sha256sums.txt.asc contains a PGP signed version of sha256sums.txt. Using GnuPG decrypt function you can verify the signature and extract the original sha256sums.txt file in one step.

 

$ gpg --decrypt sha256sums.txt.asc > sha256sums.txt
gpg: Signature made Tue 08 Jul 2014 10:55:19 AM CEST using RSA key ID DEE7DECB
gpg: Good signature from "Unified Security "

 

If You Get “BAD Signature”

If at any time you see “BAD signature” output from “gpg --verify”, please check the following first:

  • Make sure that the downloaded file is intact and not truncated or otherwise corrupted.
  • Check whether your FTP client uses binary file transfer mode.

If you repeatedly get the same “BAD signature” output, send an e-mail to support@unifiedautomation.com immediately, so we can investigate the problem.

Verifying SHA-256 Checksums

After you have created a “trusted” sha256sums.txt file (see step “Verifying the PGP signature of WebDAV/FTP downloads” above) you can now verify the checksums of all downloaded files.

 

$ sha256sum -c sha256sums.txt
CHANGELOG.txt: OK
uaexpert-bin-linux32-x86-gcc4.5.1-v1.3.0-201.tar.gz: OK
uaexpert-bin-win32-x86-vs2008sp1-v1.3.0-201.exe: OK

 

You should see “OK” for all files. If one or more files show “FAILED”, this file is corrupted. Please download it again. If you repeatedly get the same “FAILED” output, send an e-mail to support@unifiedautomation.com immediately, so we can investigate the problem.