PGP Signatures - Unified Automation (2024)

Table of Contents
Basic Concepts Purpose of the Two Signature Files Required Software Install Unified Automation PGP Public Key Updating PGP Keys Verifying the PGP Signature of Website Downloads Verifying the PGP Signature of WebDAV/FTP Downloads If You Get “BAD Signature” Verifying SHA-256 Checksums FAQs

All releases are cryptographically signed using OpenPGP-compliant signatures. Everyone is strongly encouraged to verify the integrity of downloaded files by verifying the corresponding signatures. This way you can ensure that the downloaded files have not been corrupted or manipulated.

Basic Concepts

Every release comes with a cryptographic signature signed by security@unifiedautomation.com.

Each website download contains an individual PGP signature (no SHA256 sums).

Our customers’ WebDAV/FTP download shares (Personal Download Area) contain multiple files. Therefore we use a two-step process to verify the the contents of each folder:

  1. The file sha256sums.txt contains the SHA-256 sum (cryptographic hash) for each file in the folder.
  2. This file is cryptographically signed using PGP. This way attackers cannot forge the SHA-256 checksums.

Purpose of the Two Signature Files

  1. sha256sums.txt: This file contains cryptographic checksums of the downloaded files. This can be used to verify that the download was completed and the data was not corrupted. Everybody can create those files using the `sha256sum` tool. This is an integrity check only and says nothing about the origin of the data.
  2. sha256sums.txt.asc: This is a PGP signed version of the sha256sums.txt file. This proofs that Unified Automation is the creator of the sha256sums.txt file and so of all downloaded files which match the contained checksums.

When downloading files from the Unified Automation Website or your personal download area, the connections is protected by HTTPS. It should be sufficient to check only 'sha256sums.txt', there is no need to perform the PGP validation.

When getting the files from a third party (e.g. on CD, USB key, your VCS system, or your company's network share) then you can use PGP to verify that the files are original Unified Automation files and have not been modified.

See Also
How to Verify PGP Signature of Downloaded Software on Linux - LinuxBabePGP vs GPG: The Key Differences Explained15 reasons not to start using PGPHow to Verify a GPG Signature: 5 Steps (with Pictures) - wikiHow

Required Software

  • sha256sum: For computing and validating SHA-256 checksums
  • GnuPG: The GNU Privacy Guard (https://www.gnupg.org)

Linux users can simply install these tools using the package manager. Depending on your distribution the tools may be already installed.

Windows users can use cygwin (https://www.cygwin.com) which provides Linux tools for Windows. Required packages are:

  • coreutils (includes sha256sum)
  • gnupg

Alternatively, there is a stand-alone Windows versions of Gpg4win: http://gpg4win.org

First-time users of PGP should read https://www.gnupg.org/gph/en/manual/c14.html for getting started.

Install Unified Automation PGP Public Key

To be able to verify a PGP signature you must first install our PGP public key. This key is used to verify the PGP signatures. A signature can only be created using the corresponding PGP private key.

To learn more about the way PGP works, please consult Wikipedia.

See Also
Gpg4win - Check Integrity

$ gpg --search security@unifiedautomation.comgpg: data source: keys.openpgp.org(1) Unified Security <security@unifiedautomation.com> 2048 bit RSA key BDDFD429DEE7DECB, created: 2016-07-27Keys 1-1 of 1 for "security@unifiedautomation.com". Enter number(s), N)ext, or Q)uit > 1gpg: key BDDFD429DEE7DECB: "Unified Security <security@unifiedautomation.com>" not changedgpg: Total number processed: 1gpg: unchanged: 1

Alternatively: you can search for the public key here: https://keys.openpgp.org/search?q=security@unifiedautomation.com

The next step is to sign the fetched key with your private key to trust our key.

$ gpg --sign-key security@unifiedautomation.compub 2048R/DEE7DECBcreated: 2016-07-27expires: 2017-07-27usage: SCtrust: unknownvalidity: unknownsub 2048R/C743BCDAcreated: 2016-07-27expires: 2017-07-27usage: E [ unknown] (1).Unified Security <security@unifiedautomation.com>pub 2048R/DEE7DECBcreated: 2016-07-27expires: 2017-07-27usage: SCtrust: unknownvalidity: unknownPrimary key fingerprint: 59E7 9D70 F9E6 C7BC 9C77 E8E3 BDDF D429 DEE7 DECBUnified Security <security@unifiedautomation.com> This key is due to expire on 2017-07-27.Are you sure that you want to sign this key with your key "John Doe <john.doe@example.com>" (5AAC50C4) Really sign? (y/N)yYou need a passphrase to unlock the secret key foruser: "John Doe <john.doe@example.com>" 1024-bit DSA key, ID 5AAC50C4, created 2003-11-06

Updating PGP Keys

The PGP key for security@unifiedautomation.com has set an expiration date, but the key gets renewed every year as long as no security problems (e.g. broken crypto, or lost private key) arise.

To update your local copy of the key use the following command:

$ gpg --refresh-keys

Verifying the PGP Signature of Website Downloads

For each downloadable file (*.zip, *.tar.gz) we provide a detached signature file (*.sig). Save both in the same folder and use the following command to verify the download.

Example for a UaExpert download:

$ ls -l-rw-rw---- 12 john users 11M Jun 18 14:57 uaexpert-bin-win32-x86-vs2008sp1-v1.3.0-201.exe-rw-r--r-- 1 john users 287 Jul 8 13:58 uaexpert-bin-win32-x86-vs2008sp1-v1.3.0-201.exe.sig$ gpg --verify uaexpert-bin-win32-x86-vs2008sp1-v1.3.0-201.exe.siggpg: Signature made Tue 08 Jul 2014 01:58:48 PM CEST using RSA key ID DEE7DECBgpg: Good signature from "Unified Security <security@unifiedautomation.com>"

Alternatively: you can search for the public key here: https://keys.openpgp.org/search?q=security@unifiedautomation.com

Verifying the PGP Signature of WebDAV/FTP Downloads

The file sha256sums.txt.asc contains a PGP signed version of sha256sums.txt. Using GnuPG decrypt function you can verify the signature and extract the original sha256sums.txt file in one step.

$ gpg --decrypt sha256sums.txt.asc > sha256sums.txtgpg: Signature made Tue 08 Jul 2014 10:55:19 AM CEST using RSA key ID DEE7DECBgpg: Good signature from "Unified Security "

If You Get “BAD Signature”

If at any time you see “BAD signature” output from “gpg --verify”, please check the following first:

  • Make sure that the downloaded file is intact and not truncated or otherwise corrupted.
  • Check whether your FTP client uses binary file transfer mode.

If you repeatedly get the same “BAD signature” output, send an e-mail to support@unifiedautomation.com immediately, so we can investigate the problem.

Verifying SHA-256 Checksums

After you have created a “trusted” sha256sums.txt file (see step “Verifying the PGP signature of WebDAV/FTP downloads” above) you can now verify the checksums of all downloaded files.

$ sha256sum -c sha256sums.txtCHANGELOG.txt: OKuaexpert-bin-linux32-x86-gcc4.5.1-v1.3.0-201.tar.gz: OKuaexpert-bin-win32-x86-vs2008sp1-v1.3.0-201.exe: OK

You should see “OK” for all files. If one or more files show “FAILED”, this file is corrupted. Please download it again. If you repeatedly get the same “FAILED” output, send an e-mail to support@unifiedautomation.com immediately, so we can investigate the problem.

PGP Signatures - Unified Automation (2024)

FAQs

How does PGP signature verification work? ›

The hash code, which can be usernames and other digital data, is encrypted by the message sender's private key. The recipient uses the message sender's public key to decrypt the hash, and if it matches that sent by the sender, then it confirms that the message was securely received.

Read On
How to verify PGP .sig signature on file? ›

To be able to verify a PGP signature you must first install our PGP public key. This key is used to verify the PGP signatures. A signature can only be created using the corresponding PGP private key. To learn more about the way PGP works, please consult Wikipedia.

Discover More Details
What is the PGP public key in email signature? ›

The public key is tied to a particular person's identity, and anyone can use it to send them a message. The sender sends their encrypted PGP session key to the recipient, and they are able to decrypt it using their private key. Using this session key, the recipient is now able to decrypt the actual message.

Continue Reading
How to verify PGP digital signatures using GnuPG on macOS? ›

How to verify PGP digital signatures using GnuPG on macOS
  1. Step 1: install Homebrew.
  2. Step 2: disable Homebrew analytics.
  3. Step 3: install GnuPG.
  4. Import signer's PGP public key using key server…
  5. …or using PGP public key URL.
  6. Verify signer's PGP public key using fingerprint.
  7. Verify signed message.

See Details
How do I decrypt a PGP signature? ›

Decrypt messages
  1. Open the e-mail containing the encrypted message in ciphertext.
  2. Highlight the block of ciphertext.
  3. Open the PGP Tray.
  4. Select Current Window. Choose Decrypt & Verify.
  5. Enter a passphrase into the PGP Enter Passphrase dialog box. Click OK.
  6. The decrypted message will come up in a new window for you to read.

Find Out More
What are the 5 principles of PGP? ›

PGP was designed to provide all four aspects of security, i.e., privacy, integrity, authentication, and non-repudiation in the sending of email. PGP uses a digital signature (a combination of hashing and public key encryption) to provide integrity, authentication, and non-repudiation.

Tell Me More
How do I know if my PGP key is valid? ›

Armed with the ID of the key you are interested in, check the key on on your favourite keyserver interface (choose “verbose index”). You will find all the uids (e-mail addresses) of the person who signed the key, as well as the people who have signed that key.

Show Me More
How do you verify a GPG SIG file? ›

Verify the signature.
  1. Type the following command into a command-line interface:
  2. gpg --verify [signature-file] [file]
  3. E.g., if you have acquired.
  4. (1) the Public Key 0x416F061063FEE659,
  5. (2) the Tor Browser Bundle file (tor-browser.tar.gz), and.

Explore More
How to verify PGP signature of downloaded software on Windows? ›

Check the signature.
  1. C:\Program Files (x86)\Gnu\GnuPg\gpg.exe --verify SIGNATURE. SIG FILE .
  2. Replace SIGNATURE. SIG with the signature file name, and FILE with the name of the file you want to verify.
  3. If the output says "Good Signature," you've successfully verified the key.
Dec 27, 2020

Continue Reading
Is PGP still used? ›

Yes, PGP encryption is still used and is considered an industry standard for protecting sensitive information. Both commercial and free, open-source implementations of PGP are available. Commercial solutions offer technical support that may be lacking in freeware tools.

Show Me More

How do I create a PGP signature? ›

How making and verifying a signature with PGP using command line
  1. 1.Bob install Alice's PGP Public key in his machine:
  2. $ gpg --import <Key_Alice>-pub-sub.asc.
  3. 2.Alice signs and encrypts a document (TestMessage.txt) using her PGP Private key :
  4. $ gpg --output TestMessageSignedByAlice.txt -a --sign ./TestMessage.txt.
Oct 21, 2021

Read The Full Story
What is the difference between PGP signature and encryption? ›

What is Message Signing with OpenPGP? As I mentioned above, messages are encrypted with the message recipient's public key and decrypted with the corresponding private key. Message signing, on the other hand, uses the sender's private key to sign the message, and his or her public key is used to read the signature.

See Details
How do I know if my GPG key is signed? ›

Verify using gpg
  1. First find the "key_name" of the key, type the command below and select the key that you need to trust: gpg --list-keys Example of a "key_name" is "Micro Focus Group Limited RSA 2048 1"
  2. Edit the key: gpg --edit-key "key_name"
  3. Enter the command trust and select 5 for trusting the key.

Get More Info Here
How does PGP verification work? ›

A PGP signature appears as a block of seemingly random letters and numbers at the end of the text. A valid digital signature tells the reader of the document that it was written by the owner of the PGP key and the text hasn't been changed in any way since it was signed.

Continue Reading
How do I verify my PKI digital signature? ›

To verify the authenticity of the digital signature, the recipient uses the signer's public key, which is accessible to everyone. The recipient decrypts the digital signature using the public key and compares the resulting hash value with a newly generated hash value from the received digital data.

View More
How does signature verification work? ›

It uses cryptographic techniques to generate a code (the signature) that is unique to both the signer and the content. This ensures not only the signer's identity but also verifies that the document hasn't been tampered with after signing.

View Details
How does signing works in PGP? ›

The sender uses PGP to create a digital signature for the message with either the RSA or DSA algorithms. To do so, PGP computes a hash (also called a message digest) from the plaintext and then creates the digital signature from that hash using the sender's private key.

See More
What is the PGP authentication process? ›

Authentication in PGP

For the hashing purpose, SHA-1 is used and it produces a 160 bit output hash value. Then, using the sender's private key (KPa), it is encrypted and it's called as Digital Signature. The Message is then appended to the signature.

Learn More
How does GPG verification work? ›

If you sign a file using your personal secret key, anyone can verify that this file has not been modified (i.e. the hash matches the one in your signature) via your public key. GPG signatures are widely used by Linux package managers such as apt to verify the integrity of downloaded files.

Discover More Details
Top Articles
Crypto.com Supported Countries | US & EU Allowed? | Beginner's Guide (2023)
Demystifying Interviewing for Backend Engineers @ Netflix, Again!
2011 INTERNATIONAL WORKSTAR 7600 TANDEM DUMP TRUCK diesel for sale - Saint Joseph, MO - craigslist
Marinette Queen Sleeper
Myrtle Beach Craigslist Apartments
Boats For Sale By Owner - Craigslist Massachusetts
RV Rental, Camper Rental & Motorhome Rental - travel/vacation services - craigslist
Biola Flies Away from Dominguez Hills Before Thanksgiving Break - Cal State Dominguez Hills Athletics
90 Wise & Inspiring Quotes on Simplicity (WISDOM)
The 69 Best Quotes About Simplicity - Curated Quotes
Mayo Email Outlook
Creamy Londyn
Latest Posts
Electronic Cash Ledger – Government Website Guide
Speedrunning Guide: Mid-level (L4) -> Senior (L5)
Article information

Author: Horacio Brakus JD

Last Updated:

Views: 6127

Rating: 4 / 5 (71 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Horacio Brakus JD

Birthday: 1999-08-21

Address: Apt. 524 43384 Minnie Prairie, South Edda, MA 62804

Phone: +5931039998219

Job: Sales Strategist

Hobby: Sculling, Kitesurfing, Orienteering, Painting, Computer programming, Creative writing, Scuba diving

Introduction: My name is Horacio Brakus JD, I am a lively, splendid, jolly, vivacious, vast, cheerful, agreeable person who loves writing and wants to share my knowledge and understanding with you.