Learn how to verify the authenticity and integrity of ISO and RPM images by running signature verification procedures using OpenSSL, GPG, and provided verification scripts.
Use this procedure to run a signature verification program to verify if your ISO and RPM images are genuine.
Before you begin
Here are the prerequisites for you to verify the ISO and RPM images:
Procedure
|
1. |
Unzip the file iot-fnd-<release>-<build number>-signed.zip |
|
2. |
Change directory to the folder iot-fnd-<release>-<build number>-signed using the cd command. |
|
3. |
Extract the public key from the public certificate:
Example:
openssl x509 -pubkey -noout -in FND_RPM_SIGN-CCO_RELEASE.pem > FND-EE-cert.pubkey
FND-EE-cert.pubkey is created under the same folder
|
|
4. |
Verify the integrity and authenticity of script files by checking their digital signatures against a provided public key.
Example:
openssl dgst -sha512 -verify FND-EE-cert.pubkey -signature cisco_x509_verify_release.py.signature cisco_x509_verify_release.py
openssl dgst -sha512 -verify FND-EE-cert.pubkey -signature cisco_openpgp_verify_release.py.signature cisco_openpgp_verify_release.py
|
|
5. |
Verify the ISO file.
Example:
./cisco_x509_verify_release.py -e FND_RPM_SIGN-CCO_RELEASE.pem -s iot-fnd-<release>-<build number>.iso.signature -i iot-fnd-<release>-<build number>.iso -v dgst -sha512
Retrieving CA certificate from http://www.cisco.com/security/pki/certs/crcam2.cer ...
Successfully retrieved and verified crcam2.cer.
Retrieving SubCA certificate from http://www.cisco.com/security/pki/certs/innerspace.cer ...
Successfully retrieved and verified innerspace.cer.
Successfully verified root, subca and end-entity certificate chain.
Successfully fetched a public key from FND_RPM_SIGN-CCO_RELEASE.pem.
Successfully verified the signature of iot-fnd-<release>-<build number>.iso using FND_RPM_SIGN-CCO_RELEASE.pem
|
|
6. |
Install the ISO image file.
Example:
cd /mnt
mkdir iso
mount -t iso9660 -o loop <path>/iot-fnd-<release>-<build number>.iso /mnt/iso
mkdir /tmp/ISO
cp -pRf /mnt/iso /tmp/ISO
umount /mnt/iso/
|
|
7. |
Verify if the delivered binary and ASCII keys have matching fingerprints.
Example:
gpg FND-rel-binary.gpg
gpg FND-rel-ascii.gpg
pub 2048R/F7D5ED29 2017-01-01 identity-name (FND.rel) identity-name@cisco.com
pub 2048R/F7D5ED29 2017-01-01 identity-name (FND.rel) identity-name@cisco.com
|
|
8. |
Verify the binary GPG key against the EE cert.
Example:
./cisco_openpgp_verify_release.py -e FND_RPM_SIGN-CCO_RELEASE.pem -G FND-rel-binary.gpg
Downloading CA certificate from http://www.cisco.com/security/pki/certs/crcam2.cer ...
Successfully downloaded crcam2.cer.
Downloading SubCA certificate from http://www.cisco.com/security/pki/certs/innerspace.cer ...
Successfully downloaded innerspace.cer.
Successfully verified Cisco root, subca and end-entity certificate chain.
Successfully fetched a public key from FND_RPM_SIGN-CCO_RELEASE.pem.
Successfully authenticated FND-rel-binary.gpg key using Cisco X.509 certificate trust chain.
|
|
9. |
Verify the RPM signature using the GPG ASCII key.
Example:
sudo rpm --import FND-rel-ascii.gpg
rpm -K /tmp/ISO/iso/cgms-<release>-<build number>.x86_64.rpm
/tmp/ISO/iso/cgms-<release>-<build number>.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
|
You've verified the ISO and RPM signatures.