Verify the package signature

Stay organized with collections Save and categorize content based on your preferences.

This page explains how to verify the signature on the Assured OSS packages. Package verification involves the following steps:

  • Verifying the digest
  • Verifying the signature
  • Verifying the certificate

Verifying digest

To verify the digest, do the following:

  1. Identify hashing algorithm: The digest.txt file contains the hashing algorithm used to calculate the digest. To identify the hashing algorithm, use the command:

    cut -d ':' -f1 digest.txt
    

    Check that the output is SHA256.

  2. Calculate hash of the package: Hash of the package can be calculated using various command line tools depending on the hash algorithm used. For Assured OSS packages, the SHA-256 hash algorithm is used to generate the digest. On Linux, you will use the following command to calculate the hash:

    sha256sum PATH_TO_PACKAGE_FILE | cut -d ' ' -f1 > packagedigest.txt
    

    Where PATH_TO_PACKAGE_FILE is the path to the package in your local directory.

  3. Extract hash from the digest: Run the following command to extract hash from the digest.txt file:

    cut -d ':' -f2 digest.txt > signaturedigest.txt
    
  4. Compare the two digests: Use the following command to compare the two digests.

    diff packagedigest.txt signaturedigest.txt
    

    If there is no difference then there will be no output.

Verifying signature

To verify the signature, do the following:

  1. Obtain public key from cert.pem using the following command:

    openssl x509 -pubkey -noout -in cert.pem  > pubkey.pem
    
  2. Extract signature in binary format. To do this, use the command:

    cut -d ':' -f2 signature.txt | xxd -r -p > sig.sig
    
  3. Extract digest in binary format using the command:

    cut -d ':' -f2 digest.txt | xxd -r -p > digest.bin
    
  4. Verify signature using the command:

    openssl pkeyutl -in digest.bin -inkey pubkey.pem -pubin -verify -sigfile sig.sig
    

    Sample output

    Signature Verified Successfully

    Or

    openssl dgst -sha256 -verify pubkey.pem -signature sig.sig PATH_TO_PACKAGE_FILE
    

    Where PATH_TO_PACKAGE_FILE is the path to the package in your local directory.

    Sample output

    Verified OK

Verifying certificate

To verify the certificate:

  1. Verify the certificate with the certificate chain present in the zip file using the command:

    openssl verify -verbose -CAfile certChain.pem cert.pem
    

    Sample output

    cert.pem: OK
    
  2. Verify the certificate chain with the public root certificate available here using the following command:

    openssl verify -verbose -CAfile ca.crt certChain.pem
    

    Sample output

    certChain.pem: OK
    

Learn more

Assured Open Source Software is part of the Software Delivery Shield solution. Software Delivery Shield is a fully-managed, end-to-end software supply chain security solution that helps you to improve the security posture of developer workflows and tools, software dependencies, CI/CD systems used to build and deploy your software, and runtime environments such as Google Kubernetes Engine and Cloud Run. To learn how you can use Assured Open Source Software with other components of Software Delivery Shield to improve the security posture of your software supply chain, see Software Delivery Shield overview.

What's next?