Versions Compared

Old Version 5

changes.mady.by.user Stonebranch

Saved on

compared with

New Version 6

changes.mady.by.user Stonebranch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

For Universal Controller and Universal Agent 7.6 and forward, the installation packages are PGP-signed for security and authentication.

Verifying the files with digital signatures helps mitigate the risk of downloading and installing malicious or compromised software.

You can download the public key here to verify packages.

This page will show you how the signature interaction works and how you can verify the files once you download them.

Checking Signatures

Info

The example provided uses The GNU Privacy Guard. Any OpenPGP -compliant program should work successfully.

Each package has a corresponding .asc file (detached signature). For example, the release EXAMPLE FILE NAME release universal-controller-7.6.0.0-build.140.zip would have a corresponding file, EXAMPLE ASC FILE NAME universal-controller-7.6.0.0-build.140.zip.asc.

These instructions assume you have already installed both of these files. 

Check the detached signature(EXAMPLE) against the corresponding release(EXAMPLE ASC). 

Code Block
COMMAND LINES

...

1. Retrieve Public Key

Download the GPG public key from https://packages.stonebranch.com/uac/GPG-KEY-UAC.asc

2. Import and Sign the Public Key.

Verify that the fingerprint of the public key is B666 8901 95B2 A3E6 F8A2 1FC8 77D5 3847 2C46 C119.

Code Block
languagetext
>gpg --import --import-options show-only GPG-KEY-UAC.asc
pub   rsa4096 2024-02-27 [C] [expires: 2027-02-26]
      B666890195B2A3E6F8A21FC877D538472C46C119
uid                      Stonebranch, Inc. <support@stonebranch.com>
sub   rsa4096 2024-02-27 [S] [expires: 2027-02-26]
sub   rsa4096 2024-02-27 [S] [expires: 2027-02-26]

Import the verified public key.

Code Block
languagetext
>gpg --import GPG-KEY-UAC.asc
gpg: key 77D538472C46C119: public key "Stonebranch, Inc. <support@stonebranch.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Certify the public key by signing it with your private key.

Code Block
languagetext
>gpg --lsign B666890195B2A3E6F8A21FC877D538472C46C119

pub  rsa4096/77D538472C46C119
     created: 2024-02-27  expires: 2027-02-26  usage: C
     trust: unknown       validity: unknown
sub  rsa4096/2F768A37A6E81362
     created: 2024-02-27  expires: 2027-02-26  usage: S
sub  rsa4096/4836F914BEE9CDF3
     created: 2024-02-27  expires: 2027-02-26  usage: S
[ unknown] (1). Stonebranch, Inc. <support@stonebranch.com>


pub  rsa4096/77D538472C46C119
     created: 2024-02-27  expires: 2027-02-26  usage: C
     trust: unknown       validity: unknown
 Primary key fingerprint: B666 8901 95B2 A3E6 F8A2  1FC8 77D5 3847 2C46 C119

     Stonebranch, Inc. <support@stonebranch.com>

This key is due to expire on 2027-02-26.
Are you sure that you want to sign this key with your
key "*** <***>" (***)

The signature will be marked as non-exportable.

Really sign? (y/N) y


Note

If you omit this step, then you will see the following warning when verifying the Universal Controller archive signature.

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.


3. Verify the Archive

Verify the installation packages.

Code Block
languagetext
>gpg --verify universal-controller-7.6.0.0-build.140.zip.asc universal-controller-7.6.0.0-build.140.zip
gpg: Signature made 04/02/24 15:45:21 Eastern Daylight Time
gpg:                using RSA key 7870D479A577FCF6518A62CD2F768A37A6E81362
gpg: Good signature from "Stonebranch, Inc. <support@stonebranch.com>" [full]