Introduction

SOS digitally signs JS7 releases that are offered for download:

  • X509 signatures, SHA hashes and timestamps are available with the releases.
  • Users can verify a release file's hash value to prove
    • that the file downloaded corresponds to what is offered from the download site.
    • This check does not prove authenticity of the file being published by SOS.
  • Users can verify a release file's signature to prove
    • that the file in fact was created and signed by SOS,
    • that the file's signature is valid.
  • Users can verify a signature's timestamp.
    • This is useful if older releases are downloaded at a point in time when the signing certificate will be expired and invalid.
    • The timestamp allows to verify that a valid code signing certificate was used at the point in time of signing.

Verifying Releases

The below examples make use of a specific JS7 release. Consider to use an up-to-date JS7 release as indicated by JS7 - Download.

Examples are provided for Unix and Windows.

Comparing Hashes

The following example downloads a release file (.tar.gz) and the corresponding hash file (.sha256). The hash of the release file is compared to the hash file.

This check proves that a release file was not changed after creation of the hash file. The check does not prove authenticity of the release file.


Comparing Hashes (Unix)
# download release tarball
curl 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_unix.2.5.3.tar.gz' -o js7_agent_unix.2.5.3.tar.gz

# download hash file
curl 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_unix.2.5.3.tar.gz.sha256' -o js7_agent_unix.2.5.3.tar.gz.sha256

# compare hashes of downloaded release file and hash file
sha256sum --check js7_agent_unix.2.5.3.tar.gz.sha256
Comparing Hashes (Windows using PowerShell)
# download release tarball
Invoke-WebRequest -Uri 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_windows.2.5.3.zip' -Outfile js7_agent_windows.2.5.3.zip

# download hash file
Invoke-WebRequest -Uri 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_windows.2.5.3.zip.sha256' -Outfile js7_agent_windows.2.5.3.zip.sha256

# compare hashes of downloaded release file and hash file
(Get-FileHash js7_agent_windows.2.5.3.zip -Algorithm SHA256).Hash -eq ((Get-Content -Path js7_agent_windows.2.5.3.zip.sha256) -replace '\s.*')

Verifying Signatures

Signatures for release files are created from the SOS Code Signing Certificate. The certificate chain is available from the following certificates:

Verification of a signature requires to convert the downloaded signature file (.sig) from base64 to a binary format and to verify that the signature file and hash file will match.

This check proves the authenticity of a release file's signature that is published by SOS. The check is complementary to comparing hashes.


Verify Signatures (Unix)
# download hash file
curl 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_unix.2.5.3.tar.gz.sha256' -o js7_agent_unix.2.5.3.tar.gz.sha256

# download signature file
curl 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_unix.2.5.3.tar.gz.sig' -o js7_agent_unix.2.5.3.tar.gz.sig

# download certificate
curl 'https://download.sos-berlin.com/certs/release-signing/SOSReleaseSigning.crt' -o SOSReleaseSigning.crt 

# convert base64 signature to binary format
openssl base64 -d -in js7_agent_unix.2.5.3.tar.gz.sig -out js7_agent_unix.2.5.3.tar.gz.sig.bin

# verify signature (bash version)
openssl dgst -sha256 -verify <(openssl x509 -in SOSReleaseSigning.crt -pubkey -noout) -signature js7_agent_unix.2.5.3.tar.gz.sig.bin js7_agent_unix.2.5.3.tar.gz.sha256

# verify signature (alternative non-bash version)
# openssl x509 -in SOSReleaseSigning.crt -pubkey -noout > SOSReleaseSigning.pub
# openssl dgst -sha256 -verify SOSReleaseSigning.pub -signature js7_agent_unix.2.5.3.tar.gz.sig.bin js7_agent_unix.2.5.3.tar.gz.sha256


For Windows the OpenSSL utility might not be available out-of-the-box. Check to download OpenSSL for Windows from a secure site. The below example makes use of PowerShell and the OpenSSL utility.

Verify Signatures (Windows using PowerShell)
# download hash file
Invoke-WebRequest -Uri 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_windows.2.5.3.zip.sha256' -Outfile js7_agent_windows.2.5.3.zip.sha256

# download signature file
Invoke-WebRequest -Uri 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_windows.2.5.3.zip.sig' -Outfile js7_agent_windows.2.5.3.zip.sig

# download certificate
Invoke-WebRequest -Uri 'https://download.sos-berlin.com/certs/release-signing/SOSReleaseSigning.crt' -Outfile SOSReleaseSigning.crt

# convert base64 signature to binary format
openssl base64 -d -in js7_agent_windows.2.5.3.zip.sig -out js7_agent_windows.2.5.3.zip.sig.bin

# verify signature
openssl x509 -in SOSReleaseSigning.crt -pubkey -noout > SOSReleaseSigning.pub
openssl dgst -sha256 -verify SOSReleaseSigning.pub -signature js7_agent_windows.2.5.3.zip.sig.bin js7_agent_windows.2.5.3.zip.sha256

Checking Timestamps

JS7 releases are digitally signed using timestamps.

  • A Time Stamp Server signs the hash of the release file.
  • The Time Stamp Server's response is available for download from a timestamp file that indicates the signature of the Time Stamp Server.

Verification includes to check that timestamps are valid and match the hashes of release files.

  • This includes to have the Time Stamp Server's certificate chain in place. JS7 releases frequently make use of Apple's Time Stamp Server, however, this can change.
  • At the time of writing the following certificates are used:
    • AppleTimestampCA.cer
    • AppleIncRootCertificate.cer

      Verify Time Stamp Server Certificates (Unix)
      # download Apple Time Stamp Server certificate
      curl --remote-name https://www.apple.com/certificateauthority/AppleTimestampCA.cer
      
      # download Apple Root certificate
      curl --remote-name https://www.apple.com/appleca/AppleIncRootCertificate.cer
      
      # convert from der to pem format
      openssl x509 -inform der -in AppleIncRootCertificate.cer -out AppleIncRootCertificate.pem


      For Windows the OpenSSL utility might not be available out-of-the-box. Check to download OpenSSL for Windows from a secure site. The below example makes use of PowerShell and the OpenSSL utility.

      Verify Time Stamp Server Certificates (Windows using PowerShell)
      # download Apple Time Stamp Server certificate
      Invoke-WebRequest -Uri 'https://www.apple.com/certificateauthority/AppleTimestampCA.cer' -Outfile AppleTimestampCA.cer
      
      # download Apple Root certificate
      Invoke-WebRequest -Uri 'https://www.apple.com/appleca/AppleIncRootCertificate.cer' -Outfile AppleIncRootCertificate.cer
      
      # convert from der to pem format
      openssl x509 -inform der -in AppleIncRootCertificate.cer -out AppleIncRootCertificate.pem
  • Consider that Time Stamp Server certificates will change as they are frequently updated.

Apply the following commands to check Time Stamp Server certificates :

Checking Timestamps (Unix)
# download release tarball
curl 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_unix.2.5.3.tar.gz' -o js7_agent_unix.2.5.3.tar.gz

# download timestamp
curl 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_unix.2.5.3.tar.gz.tsr' -o js7_agent_unix.2.5.3.tar.gz.tsr

# verify timestamp
openssl ts -verify -sha256 -in js7_agent_unix.2.5.3.tar.gz.tsr -data js7_agent_unix.2.5.3.tar.gz -CAfile AppleIncRootCertificate.pem -untrusted AppleTimestampCA.cer


For Windows the OpenSSL utility might not be available out-of-the-box. Check to download OpenSSL for Windows from a secure site. The below example makes use of PowerShell and the OpenSSL utility.

Checking Timestamps (Windows using PowerShell)
# download release tarball
Invoke-WebRequest -Uri 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_windows.2.5.3.zip' -Outfile js7_agent_windows.2.5.3.zip

# download timestamp
Invoke-WebRequest -Uri 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_windows.2.5.3.zip.tsr' -Outfile js7_agent_windows.2.5.3.zip.tsr

# verify timestamp (some OpenSSL versions might require a configuration file to be specified)
$tempFile = New-TemporaryFile
openssl ts -verify -sha256 -in js7_agent_windows.2.5.3.zip.tsr -data js7_agent_windows.2.5.3.zip -CAfile AppleIncRootCertificate.pem -untrusted AppleTimestampCA.cer -config $tempFile

Further Resources


  • No labels