Artifacts Verification

As presented in previous sections, the artifacts provided by ESF are signed with a digital key for security reasons. In particular, ESF comes with two types of artifacts: bundles and installers.

This section will present a simple guide about how to verify the signature of an ESF artifact in order to check its integrity.

ESF Bundles

In order to verify the signature of a bundle, it is possible to use the jarsigner tool provided by the JVM installation:

jarsigner -verify -keystore file:${keystore_file} ${bundle_jar}

The above keystore_file is the keystore holding the customer key pair used for signing the customer bundles.

The same tool and procedure can be used to verify the integrity and authenticity of the bundles that are part of the ESF framework installation. To manually verify that resources, please use the certificates or the keystrokes provided in this section.
For a detailed guide on ESF Bundle Signing please refer to this page.

ESF installers

ESF is released with two types of installers: RPM and Debian package. Both RPM and DEB packets are signed with an Eurotech GPG key and the following table summarizes the keys used for this procedure.

ResourseDescriptionLinkMD5Status
Eurotech Everyware IoT ESF GPG KEY 2022GPG key for ESF installers signing 2022https://esf-website-resources.s3.amazonaws.com/RPM-GPG-KEY-Everyware-IoT-ESF-2022.asc35449d6f12b78ece3264001913a9e341Active
Eurotech Everyware IoT ESF GPG KEYGPG key for ESF installers signinghttps://eth-certificates.s3.amazonaws.com/ESF-certificates/RPM-GPG-KEY-Everyware-IoT-ESF.asc079bb4a41b86789bffd639a873bcd7dbRevoked

Modern package managers, as dnf, yum or apt, can verify the signature of a package during the installation or upgrading process. However, there are situations where this is not possible and a manual verification is required.

The following sections will present how to manually verify the package signing of an ESF installer.

RPM packages

In order to verify a RPM package signature, the GPG key has to be imported in the system. This is done with the following command:

rpm --import <key>

The keys already installed in the system can be listed with this command:

rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'

Then the signature can be verified:

rpm --checksig <esf-installer>.rpm

If successful the result will be:

<esf-installer>.rpm: digests signatures OK

Alternatively, the following command can be used for getting all the information about the installer:

rpm -qpi <esf-installer>.rpm

The result will be as the following for the esf-generic.x86_64 installer:

Name        : esf-generic-nn
Version     : 7.2.0
Release     : 1
Architecture: x86_64
Install Date: (not installed)
Group       : Application/Misc
Size        : 97164984
License     : (c) 2021 Eurotech SpA
Signature   : RSA/SHA256, Fri Aug 19 09:44:39 2022, Key ID a54d27178f1c9544
Source RPM  : esf-generic-nn-7.2.0-1.src.rpm
Build Date  : Fri Aug 19 09:41:27 2022
Build Host  : ip-10-20-100-129.ec2.internal
Relocations : (not relocatable)
Packager    : Eurotech SpA
Vendor      : Eurotech SpA
URL         : http://www.eurotech.com
Summary     : generic-x86_64-nn
Description :
Eurotech Everyware™ Software Framework (ESF) is a commercial, enterprise-ready edition of Eclipse Kura, the open source Java/OSGi edge computing platform for IoT gateways. Distributed and supported by Eurotech, ESF adds advanced security, diagnostics, provisioning, remote access and full integration with Everyware™ Cloud, Eurotech’s IoT Integration Platform.

Note that the Signature field is filled with the informations about the key used for the installer signing. In the case the package is not signed, the Signature field is filled with (none).

Debian packages

As done for the RPM packages verification, the first action is to import the GPG key in the system:

gpg --import <key>.gpg

The GPG keys already imported in the system can be listed with this command:

gpg --list-keys

An ESF installer in Debian package format can be verified with the following command:

dpkg-sig --verify <esf-installer>.deb

The result will be like the following for the Raspberry Pi installer:

Processing esf-raspberry-pi-nn_7.2.0-SNAPSHOT_arm64.deb...
GOODSIG _gpgeurotech 7C9BBBF6356830C7F666676200BB4911950C412B 166031681