Introduction
SOS digitally signs JS7 releases that are offered for download:
- X509 signatures, SHA hashes and timestamps are available with the releases.
- Users can verify a release file's hash value to prove
- that the file downloaded corresponds to what is offered from the download site.
- This check does not prove authenticity of the file being published by SOS.
- Users can verify a release file's signature to prove
- that the file in fact was created and signed by SOS,
- that the file's signature is valid.
- Users can verify a signature's timestamp.
- This is useful if older releases are downloaded at a point in time when the signing certificate will be expired and invalid.
- The timestamp allows to verify that a valid code signing certificate was used at the point in time of signing.
Verifying Releases
The below examples make use of a specific JS7 release. Consider to use an up-to-date JS7 release as indicated by JS7 - Download.
Examples are provided for Unix and Windows.
Comparing Hashes
The following example downloads a release file (.tar.gz) and the corresponding hash file (.sha256). The hash of the release file is compared to the hash file.
This check proves that a release file was not changed after creation of the hash file. The check does not prove authenticity of the release file.
# download release tarball curl 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_unix.2.5.3.tar.gz' -o js7_agent_unix.2.5.3.tar.gz # download hash file curl 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_unix.2.5.3.tar.gz.sha256' -o js7_agent_unix.2.5.3.tar.gz.sha256 # compare hashes of downloaded release file and hash file sha256sum --check js7_agent_unix.2.5.3.tar.gz.sha256
# download release tarball Invoke-WebRequest -Uri 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_windows.2.5.3.zip' -Outfile js7_agent_windows.2.5.3.zip # download hash file Invoke-WebRequest -Uri 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_windows.2.5.3.zip.sha256' -Outfile js7_agent_windows.2.5.3.zip.sha256 # compare hashes of downloaded release file and hash file (Get-FileHash js7_agent_windows.2.5.3.zip -Algorithm SHA256).Hash -eq ((Get-Content -Path js7_agent_windows.2.5.3.zip.sha256) -replace '\s.*')
Verifying Signatures
Signatures for release files are created from the SOS Code Signing Certificate. The certificate chain is available from the following certificates:
- SOS Code Signing Certificate: https://download.sos-berlin.com/certs/release-signing/SOSReleaseSigning.crt
- First Intermediate CA Certificate: https://download.sos-berlin.com/certs/release-signing/SectigoPublicCodeSigningCAE36.crt
- Second Intermediate CA Certificate: https://download.sos-berlin.com/certs/release-signing/SectigoPublicCodeSigningRootE46_AAA.crt
- Root CA Certificate: https://download.sos-berlin.com/certs/release-signing/AAACertificateServices.crt
Verification of a signature requires to convert the downloaded signature file (.sig) from base64 to a binary format and to verify that the signature file and hash file will match.
This check proves the authenticity of a release file's signature that is published by SOS. The check is complementary to comparing hashes.
# download hash file curl 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_unix.2.5.3.tar.gz.sha256' -o js7_agent_unix.2.5.3.tar.gz.sha256 # download signature file curl 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_unix.2.5.3.tar.gz.sig' -o js7_agent_unix.2.5.3.tar.gz.sig # download certificate curl 'https://download.sos-berlin.com/certs/release-signing/SOSReleaseSigning.crt' -o SOSReleaseSigning.crt # convert base64 signature to binary format openssl base64 -d -in js7_agent_unix.2.5.3.tar.gz.sig -out js7_agent_unix.2.5.3.tar.gz.sig.bin # verify signature (bash version) openssl dgst -sha256 -verify <(openssl x509 -in SOSReleaseSigning.crt -pubkey -noout) -signature js7_agent_unix.2.5.3.tar.gz.sig.bin js7_agent_unix.2.5.3.tar.gz.sha256 # verify signature (alternative non-bash version) # openssl x509 -in SOSReleaseSigning.crt -pubkey -noout > SOSReleaseSigning.pub # openssl dgst -sha256 -verify SOSReleaseSigning.pub -signature js7_agent_unix.2.5.3.tar.gz.sig.bin js7_agent_unix.2.5.3.tar.gz.sha256
For Windows the OpenSSL utility might not be available out-of-the-box. Check to download OpenSSL for Windows from a secure site. The below example makes use of PowerShell and the OpenSSL utility.
# download hash file Invoke-WebRequest -Uri 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_windows.2.5.3.zip.sha256' -Outfile js7_agent_windows.2.5.3.zip.sha256 # download signature file Invoke-WebRequest -Uri 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_windows.2.5.3.zip.sig' -Outfile js7_agent_windows.2.5.3.zip.sig # download certificate Invoke-WebRequest -Uri 'https://download.sos-berlin.com/certs/release-signing/SOSReleaseSigning.crt' -Outfile SOSReleaseSigning.crt # convert base64 signature to binary format openssl base64 -d -in js7_agent_windows.2.5.3.zip.sig -out js7_agent_windows.2.5.3.zip.sig.bin # verify signature openssl x509 -in SOSReleaseSigning.crt -pubkey -noout > SOSReleaseSigning.pub openssl dgst -sha256 -verify SOSReleaseSigning.pub -signature js7_agent_windows.2.5.3.zip.sig.bin js7_agent_windows.2.5.3.zip.sha256
Checking Timestamps
JS7 releases are digitally signed using timestamps.
- A Time Stamp Server signs the hash of the release file.
- The Time Stamp Server's response is available for download from a timestamp file that indicates the signature of the Time Stamp Server.
Verification includes to check that timestamps are valid and match the hashes of release files.
- This includes to have the Time Stamp Server's certificate chain in place. JS7 releases frequently make use of Apple's Time Stamp Server, however, this can change.
- At the time of writing the following certificates are used:
- AppleTimestampCA.cer
- Verify Time Stamp Server Certificates (Unix)
# download Apple Time Stamp Server certificate curl --remote-name https://www.apple.com/certificateauthority/AppleTimestampCA.cer # download Apple Root certificate curl --remote-name https://www.apple.com/appleca/AppleIncRootCertificate.cer # convert from der to pem format openssl x509 -inform der -in AppleIncRootCertificate.cer -out AppleIncRootCertificate.pem
For Windows the OpenSSL utility might not be available out-of-the-box. Check to download OpenSSL for Windows from a secure site. The below example makes use of PowerShell and the OpenSSL utility.Verify Time Stamp Server Certificates (Windows using PowerShell)# download Apple Time Stamp Server certificate Invoke-WebRequest -Uri 'https://www.apple.com/certificateauthority/AppleTimestampCA.cer' -Outfile AppleTimestampCA.cer # download Apple Root certificate Invoke-WebRequest -Uri 'https://www.apple.com/appleca/AppleIncRootCertificate.cer' -Outfile AppleIncRootCertificate.cer # convert from der to pem format openssl x509 -inform der -in AppleIncRootCertificate.cer -out AppleIncRootCertificate.pem
- Consider that Time Stamp Server certificates will change as they are frequently updated.
Apply the following commands to check Time Stamp Server certificates :
# download release tarball curl 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_unix.2.5.3.tar.gz' -o js7_agent_unix.2.5.3.tar.gz # download timestamp curl 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_unix.2.5.3.tar.gz.tsr' -o js7_agent_unix.2.5.3.tar.gz.tsr # verify timestamp openssl ts -verify -sha256 -in js7_agent_unix.2.5.3.tar.gz.tsr -data js7_agent_unix.2.5.3.tar.gz -CAfile AppleIncRootCertificate.pem -untrusted AppleTimestampCA.cer
For Windows the OpenSSL utility might not be available out-of-the-box. Check to download OpenSSL for Windows from a secure site. The below example makes use of PowerShell and the OpenSSL utility.
# download release tarball Invoke-WebRequest -Uri 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_windows.2.5.3.zip' -Outfile js7_agent_windows.2.5.3.zip # download timestamp Invoke-WebRequest -Uri 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_windows.2.5.3.zip.tsr' -Outfile js7_agent_windows.2.5.3.zip.tsr # verify timestamp (some OpenSSL versions might require a configuration file to be specified) $tempFile = New-TemporaryFile openssl ts -verify -sha256 -in js7_agent_windows.2.5.3.zip.tsr -data js7_agent_windows.2.5.3.zip -CAfile AppleIncRootCertificate.pem -untrusted AppleTimestampCA.cer -config $tempFile