Use this procedure to verify the integrity and authenticity of RPM packages before installation or upgrade. These steps help ensure your files are secure and have not been tampered with prior to deployment.
The following steps collectively ensure the security and integrity of the files before proceeding with any installations or upgrades.
Before you begin
The following knowledge is required to verify OVA signature:
-
Python 2.7.x
-
OpenSSL
-
Internet connection
Procedure
|
1. |
Unzip the file iot-fnd-<release>-<build number>-signed.zip and change directory to the folder iot-fnd-<release>-<build number>-signed
Example:
unzip iot-fnd-<release>-<build number>-signed.zip
cd iot-fnd-<release>-<build number>-signed
|
|
2. |
Extract the public key from the public certificate:
Example:
openssl x509 -pubkey -noout -in FND_RPM_SIGN-CCO_RELEASE.pem > FND-EE-cert.pubkey
FND-EE-cert.pubkey is created under the same folder
|
|
3. |
Verify the scripts using the public key and signature files:
Example:
openssl dgst -sha512 -verify FND-EE-cert.pubkey -signature cisco_x509_verify_release.py.signature cisco_x509_verify_release.py
openssl dgst -sha512 -verify FND-EE-cert.pubkey -signature cisco_openpgp_verify_release.py.signature cisco_openpgp_verify_release.py
Expected Result:
Verified OK
|
|
4. |
Verify the ISO file:
Example:
./cisco_x509_verify_release.py -e FND_RPM_SIGN-CCO_RELEASE.pem -s iot-fnd-<release>-<build number>.iso.signature -i iot-fnd-<release>-<build number>.iso -v dgst -sha512
Retrieving CA certificate from http://www.cisco.com/security/pki/certs/crcam2.cer ...
Successfully retrieved and verified crcam2.cer.
Retrieving SubCA certificate from http://www.cisco.com/security/pki/certs/innerspace.cer ...
Successfully retrieved and verified innerspace.cer.
Successfully verified root, subca and end-entity certificate chain.
Successfully fetched a public key from FND_RPM_SIGN-CCO_RELEASE.pem.
Successfully verified the signature of iot-fnd-<release>-<build number>.iso using FND_RPM_SIGN-CCO_RELEASE.pem
|
|
5. |
Install the ISO image file:
Example:
cd /mnt
mkdir iso
mount -t iso9660 -o loop <path>/iot-fnd-<release>-<build number>.iso /mnt/iso
mkdir /tmp/ISO
cp -pRf /mnt/iso /tmp/ISO
umount /mnt/iso/
|
|
6. |
Verify the delivered binary and ascii keys have matching fingerprints:
Example:
gpg FND-rel-binary.gpg
gpg FND-rel-ascii.gpg
pub 2048R/F7D5ED29 2017-01-01 user (FND.rel)
|
|
7. |
Verify the binary GPG key against EE cert:
Example:
./cisco_openpgp_verify_release.py -e FND_RPM_SIGN-CCO_RELEASE.pem -G FND-rel-binary.gpg
Downloading CA certificate from http://www.cisco.com/security/pki/certs/crcam2.cer ...
Successfully downloaded crcam2.cer.
Downloading SubCA certificate from http://www.cisco.com/security/pki/certs/innerspace.cer ...
Successfully downloaded innerspace.cer.
Successfully verified Cisco root, subca and end-entity certificate chain.
Successfully fetched a public key from FND_RPM_SIGN-CCO_RELEASE.pem.
Successfully authenticated FND-rel-binary.gpg key using Cisco X.509 certificate trust chain.
|
|
8. |
Verify RPM Signature using the GPG ASCII key:
Example:
sudo rpm --import FND-rel-ascii.gpg
rpm -K /tmp/ISO/iso/cgms-<release>-<build number>.x86_64.rpm
/tmp/ISO/iso/cgms-<release>-<build number>.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
|
|
9. |
Repeat the step 8 to verify all the RPM signatures. For example, CGMS tools RPM for Postgres Signature. |
You've successfully verified the RPM signatures.
What to do next
Proceed to installing or upgrading the RPMs.