All releases are cryptographically signed using OpenPGP-compliant signatures. Everyone is strongly encouraged to verify the integrity of downloaded files by verifying the corresponding signatures. This way you can ensure that the downloaded files have not been corrupted or manipulated.
Every release comes with a cryptographic signature signed by security@unifiedautomation.com.
Each website download contains an individual PGP signature (no SHA256 sums).
Our customers’ WebDAV/FTP download shares (Personal Download Area) contain multiple files. Therefore we use a two-step process to verify the the contents of each folder:
When downloading files from the Unified Automation Website or your personal download area, the connections is protected by HTTPS. It should be sufficient to check only 'sha256sums.txt', there is no need to perform the PGP validation.
When getting the files from a third party (e.g. on CD, USB key, your VCS system, or your company's network share) then you can use PGP to verify that the files are original Unified Automation files and have not been modified.
Linux users can simply install these tools using the package manager. Depending on your distribution the tools may be already installed.
Windows users can use cygwin (https://www.cygwin.com) which provides Linux tools for Windows. Required packages are:
Alternatively, there is a stand-alone Windows versions of Gpg4win: http://gpg4win.org
First-time users of PGP should read https://www.gnupg.org/gph/en/manual/c14.html for getting started.
To be able to verify a PGP signature you must first install our PGP public key. This key is used to verify the PGP signatures. A signature can only be created using the corresponding PGP private key.
To learn more about the way PGP works, please consult Wikipedia.
$ gpg --search security@unifiedautomation.com gpg: data source: keys.openpgp.org (1) Unified Security <security@unifiedautomation.com> 2048 bit RSA key BDDFD429DEE7DECB, created: 2016-07-27 Keys 1-1 of 1 for "security@unifiedautomation.com". Enter number(s), N)ext, or Q)uit > 1 gpg: key BDDFD429DEE7DECB: "Unified Security <security@unifiedautomation.com>" not changed gpg: Total number processed: 1 gpg: unchanged: 1
Alternatively: you can search for the public key here: https://keys.openpgp.org/search?q=security@unifiedautomation.com
The next step is to sign the fetched key with your private key to trust our key.
$ gpg --sign-key security@unifiedautomation.com pub 2048R/DEE7DECB created: 2016-07-27 expires: 2017-07-27 usage: SC trust: unknown validity: unknown sub 2048R/C743BCDA created: 2016-07-27 expires: 2017-07-27 usage: E [ unknown] (1). Unified Security <security@unifiedautomation.com> pub 2048R/DEE7DECB created: 2016-07-27 expires: 2017-07-27 usage: SC trust: unknown validity: unknown Primary key fingerprint: 59E7 9D70 F9E6 C7BC 9C77 E8E3 BDDF D429 DEE7 DECB Unified Security <security@unifiedautomation.com> This key is due to expire on 2017-07-27. Are you sure that you want to sign this key with your key "John Doe <john.doe@example.com>" (5AAC50C4) Really sign? (y/N) y You need a passphrase to unlock the secret key for user: "John Doe <john.doe@example.com>" 1024-bit DSA key, ID 5AAC50C4, created 2003-11-06
The PGP key for security@unifiedautomation.com has set an expiration date, but the key gets renewed every year as long as no security problems (e.g. broken crypto, or lost private key) arise.
To update your local copy of the key use the following command:
$ gpg --refresh-keys
For each downloadable file (*.zip, *.tar.gz) we provide a detached signature file (*.sig). Save both in the same folder and use the following command to verify the download.
Example for a UaExpert download:
$ ls -l -rw-rw---- 12 john users 11M Jun 18 14:57 uaexpert-bin-win32-x86-vs2008sp1-v1.3.0-201.exe -rw-r--r-- 1 john users 287 Jul 8 13:58 uaexpert-bin-win32-x86-vs2008sp1-v1.3.0-201.exe.sig $ gpg --verify uaexpert-bin-win32-x86-vs2008sp1-v1.3.0-201.exe.sig gpg: Signature made Tue 08 Jul 2014 01:58:48 PM CEST using RSA key ID DEE7DECB gpg: Good signature from "Unified Security <security@unifiedautomation.com>"
Alternatively: you can search for the public key here: https://keys.openpgp.org/search?q=security@unifiedautomation.com
The file sha256sums.txt.asc contains a PGP signed version of sha256sums.txt. Using GnuPG decrypt function you can verify the signature and extract the original sha256sums.txt file in one step.
$ gpg --decrypt sha256sums.txt.asc > sha256sums.txt gpg: Signature made Tue 08 Jul 2014 10:55:19 AM CEST using RSA key ID DEE7DECB gpg: Good signature from "Unified Security "
If at any time you see “BAD signature” output from “gpg --verify”, please check the following first:
If you repeatedly get the same “BAD signature” output, send an e-mail to support@unifiedautomation.com immediately, so we can investigate the problem.
After you have created a “trusted” sha256sums.txt file (see step “Verifying the PGP signature of WebDAV/FTP downloads” above) you can now verify the checksums of all downloaded files.
$ sha256sum -c sha256sums.txt CHANGELOG.txt: OK uaexpert-bin-linux32-x86-gcc4.5.1-v1.3.0-201.tar.gz: OK uaexpert-bin-win32-x86-vs2008sp1-v1.3.0-201.exe: OK
You should see “OK” for all files. If one or more files show “FAILED”, this file is corrupted. Please download it again. If you repeatedly get the same “FAILED” output, send an e-mail to support@unifiedautomation.com immediately, so we can investigate the problem.
Only words with 2 or more characters are accepted
Max 200 chars total
Space is used to split words, "" can be used to search for a whole string (not indexed search then)
AND, OR and NOT are prefix words, overruling the default operator
+/|/- equals AND, OR and NOT as operators.
All search words are converted to lowercase.