How to verify the integrity of a delivery?

All deliveries published by Axway are digitally signed with a cryptographic key.

This allows to verify that:

  • The deliveries have not been altered.
  • The deliveries have been issued by Axway.

 

Prerequisites

 

To import the Systar public key into the GnuPG keystore, do the following:

 

Verifying the integrity of a delivery

You need two files:

  • The delivery, e.g. DecisionInsight_2.0.0_Install_win-x86-64_BN2014090801.exe
  • The associated signature, e.g. DecisionInsight_2.0.0_Install_win-x86-64_BN2014090801.exe.sign

 

To verify the integrity of a delivery, execute the following command:

gpg --verify <delivery signature> <delivery>

 

Two possibilities:

  • (tick)  The integrity of the delivery is verified, the command reports a "good" signature. For example:

    gpg: Signature made 09/24/13 16:23:17 using RSA key ID 3A544790
    gpg: Good signature from "Systar SA (R&D) <support@systar.com>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 3499 2C63 EAB4 CE8D E2CE  960A 3B78 2A9E 3A54 4790

    Since the public key is not trusted by a third party, GnuPG raises a warning. However, this does not compromises the integrity of the delivery. The fingerprint of the Systar public key is

    3499 2C63 EAB4 CE8D E2CE  960A 3B78 2A9E 3A54 4790
  • (minus) The integrity of the delivery is not verified, the command reports a "bad" signature. For example:

    gpg: Signature made 09/24/13 16:23:17 using RSA key ID 3A544790
    gpg: BAD signature from "Systar SA (R&D) <support@systar.com>"

Related Links