Verifying Installation Package with PGP Signatures

Overview

For Universal Controller 7.6 and Universal Agent 7.6 forward, the installation packages are PGP-signed for security and authentication.

Verifying the files with digital signatures helps mitigate the risk of downloading and installing malicious or compromised software.

This page will show you how the signature interaction works and how you can verify the files once you download them.

Verifying PGP Signatures

The example provided uses The GNU Privacy Guard. Any OpenPGP compliant program should work successfully.

Each package has a corresponding .asc file (detached signature). For example, the release universal-controller-7.6.0.0.zip has a corresponding file, universal-controller-7.6.0.0.zip.asc.

These instructions assume you have already downloaded both of these files. 

The example commands provided are for the verification of Universal Controller packages, but the instructions are the same for Universal Agent. The only difference in the commands are the file names.

1. Retrieve Public Key

Download the GPG public key from https://packages.stonebranch.com/uac/GPG-KEY-UAC.asc

2. Import and Certify the Public Key

Verify that the fingerprint of the public key is B666 8901 95B2 A3E6 F8A2 1FC8 77D5 3847 2C46 C119.

>gpg --import --import-options show-only GPG-KEY-UAC.asc
pub   rsa4096 2024-02-27 [C] [expires: 2027-02-26]
      B666890195B2A3E6F8A21FC877D538472C46C119
uid                      Stonebranch, Inc. <support@stonebranch.com>
sub   rsa4096 2024-02-27 [S] [expires: 2027-02-26]
sub   rsa4096 2024-02-27 [S] [expires: 2027-02-26]

Import the verified public key.

>gpg --import GPG-KEY-UAC.asc
gpg: key 77D538472C46C119: public key "Stonebranch, Inc. <support@stonebranch.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Certify the public key by signing it with your private key.

>gpg --lsign B666890195B2A3E6F8A21FC877D538472C46C119

pub  rsa4096/77D538472C46C119
     created: 2024-02-27  expires: 2027-02-26  usage: C
     trust: unknown       validity: unknown
sub  rsa4096/2F768A37A6E81362
     created: 2024-02-27  expires: 2027-02-26  usage: S
sub  rsa4096/4836F914BEE9CDF3
     created: 2024-02-27  expires: 2027-02-26  usage: S
[ unknown] (1). Stonebranch, Inc. <support@stonebranch.com>


pub  rsa4096/77D538472C46C119
     created: 2024-02-27  expires: 2027-02-26  usage: C
     trust: unknown       validity: unknown
 Primary key fingerprint: B666 8901 95B2 A3E6 F8A2  1FC8 77D5 3847 2C46 C119

     Stonebranch, Inc. <support@stonebranch.com>

This key is due to expire on 2027-02-26.
Are you sure that you want to sign this key with your
key "*** <***>" (***)

The signature will be marked as non-exportable.

Really sign? (y/N) y

If you omit this step, then you will see the following warning when verifying the installation package signature.

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

3. Verify the Installation Package Signature

Verify the installation packages.

>gpg --verify universal-controller-7.6.0.0.zip.asc universal-controller-7.6.0.0.zip
gpg: Signature made 04/02/24 15:45:21 Eastern Daylight Time
gpg:                using RSA key 7870D479A577FCF6518A62CD2F768A37A6E81362
gpg: Good signature from "Stonebranch, Inc. <support@stonebranch.com>" [full]