Introduction

SOS digitally signs JS7 releases that are offered for download:

• X509 signatures, SHA hashes and timestamps are available with the releases.
• Users can verify a release file's hash value to prove
  • that the file downloaded corresponds to what is offered from the download site.
  • This check does not prove authenticity of the file being published by SOS.
• Users can verify a release file's signature to prove
  • that the file in fact was created and signed by SOS,
  • that the file's signature is valid.
• Users can verify a signature's timestamp.
  • This is useful if older releases are downloaded at a point in time when the signing certificate will be expired and invalid.
  • The timestamp allows to verify that a valid code signing certificate was used at the point in time of signing.

Verifying Releases

The below examples make use of a specific JS7 release. Consider to use an up-to-date JS7 release as indicated by JS7 - Download.

Examples are provided for Unix and Windows.

Comparing Hashes

The following example downloads a release file (.tar.gz) and the corresponding hash file (.sha256). The hash of the release file is compared to the hash file.

This check proves that a release file was not changed after creation of the hash file. The check does not prove authenticity of the release file.

# download release tarball
curl 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_unix.2.5.3.tar.gz' -o js7_agent_unix.2.5.3.tar.gz

# download hash file
curl 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_unix.2.5.3.tar.gz.sha256' -o js7_agent_unix.2.5.3.tar.gz.sha256

# compare hashes of downloaded release file and hash file
sha256sum --check js7_agent_unix.2.5.3.tar.gz.sha256

# download release tarball
Invoke-WebRequest -Uri 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_windows.2.5.3.zip' -Outfile js7_agent_windows.2.5.3.zip

# download hash file
Invoke-WebRequest -Uri 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_windows.2.5.3.zip.sha256' -Outfile js7_agent_windows.2.5.3.zip.sha256

# compare hashes of downloaded release file and hash file
(Get-FileHash js7_agent_windows.2.5.3.zip -Algorithm SHA256).Hash -eq ((Get-Content -Path js7_agent_windows.2.5.3.zip.sha256) -replace '\s.*')

Verifying Signatures

Signatures for release files are created from the SOS Code Signing Certificate. The certificate chain is available from the following certificates:

• SOS Code Signing Certificate: https://download.sos-berlin.com/certs/release-signing/SOSReleaseSigning.crt 
• First Intermediate CA Certificate: https://download.sos-berlin.com/certs/release-signing/SectigoPublicCodeSigningCAE36.crt 
• Second Intermediate CA Certificate: https://download.sos-berlin.com/certs/release-signing/SectigoPublicCodeSigningRootE46_AAA.crt 
• Root CA Certificate: https://download.sos-berlin.com/certs/release-signing/AAACertificateServices.crt 

Verification of a signature requires to convert the downloaded signature file (.sig) from base64 to a binary format and to verify that the signature file and hash file will match.

This check proves the authenticity of a release file's signature that is published by SOS. The check is complementary to comparing hashes.

# download hash file
curl 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_unix.2.5.3.tar.gz.sha256' -o js7_agent_unix.2.5.3.tar.gz.sha256

# download signature file
curl 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_unix.2.5.3.tar.gz.sig' -o js7_agent_unix.2.5.3.tar.gz.sig

# download certificate
curl 'https://download.sos-berlin.com/certs/release-signing/SOSReleaseSigning.crt' -o SOSReleaseSigning.crt 

# convert base64 signature to binary format
openssl base64 -d -in js7_agent_unix.2.5.3.tar.gz.sig -out js7_agent_unix.2.5.3.tar.gz.sig.bin

# verify signature (bash version)
openssl dgst -sha256 -verify <(openssl x509 -in SOSReleaseSigning.crt -pubkey -noout) -signature js7_agent_unix.2.5.3.tar.gz.sig.bin js7_agent_unix.2.5.3.tar.gz.sha256

# verify signature (alternative non-bash version)
# openssl x509 -in SOSReleaseSigning.crt -pubkey -noout > SOSReleaseSigning.pub
# openssl dgst -sha256 -verify SOSReleaseSigning.pub -signature js7_agent_unix.2.5.3.tar.gz.sig.bin js7_agent_unix.2.5.3.tar.gz.sha256

For Windows the OpenSSL utility might not be available out-of-the-box. Check to download OpenSSL for Windows from a secure site. The below example makes use of PowerShell and the OpenSSL utility.

# download hash file
Invoke-WebRequest -Uri 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_windows.2.5.3.zip.sha256' -Outfile js7_agent_windows.2.5.3.zip.sha256

# download signature file
Invoke-WebRequest -Uri 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_windows.2.5.3.zip.sig' -Outfile js7_agent_windows.2.5.3.zip.sig

# download certificate
Invoke-WebRequest -Uri 'https://download.sos-berlin.com/certs/release-signing/SOSReleaseSigning.crt' -Outfile SOSReleaseSigning.crt

# convert base64 signature to binary format
openssl base64 -d -in js7_agent_windows.2.5.3.zip.sig -out js7_agent_windows.2.5.3.zip.sig.bin

# verify signature
openssl x509 -in SOSReleaseSigning.crt -pubkey -noout > SOSReleaseSigning.pub
openssl dgst -sha256 -verify SOSReleaseSigning.pub -signature js7_agent_windows.2.5.3.zip.sig.bin js7_agent_windows.2.5.3.zip.sha256

Checking Timestamps

JS7 releases are digitally signed using timestamps.

• A Time Stamp Server signs the hash of the release file.
• The Time Stamp Server's response is available for download from a timestamp file that indicates the signature of the Time Stamp Server.

Verification includes to check that timestamps are valid and match the hashes of release files.

• This includes to have the Time Stamp Server's certificate chain in place. JS7 releases frequently make use of Apple's Time Stamp Server, however, this can change.
• At the time of writing the following certificates are used:
  • AppleTimestampCA.cer

  • AppleIncRootCertificate.cer
    
    

    Verify Time Stamp Server Certificates (Unix)

    # download Apple Time Stamp Server certificate
    curl --remote-name https://www.apple.com/certificateauthority/AppleTimestampCA.cer
    
    # download Apple Root certificate
    curl --remote-name https://www.apple.com/appleca/AppleIncRootCertificate.cer
    
    # convert from der to pem format
    openssl x509 -inform der -in AppleIncRootCertificate.cer -out AppleIncRootCertificate.pem

    
    For Windows the OpenSSL utility might not be available out-of-the-box. Check to download OpenSSL for Windows from a secure site. The below example makes use of PowerShell and the OpenSSL utility.
    
    

    Verify Time Stamp Server Certificates (Windows using PowerShell)

    # download Apple Time Stamp Server certificate
    Invoke-WebRequest -Uri 'https://www.apple.com/certificateauthority/AppleTimestampCA.cer' -Outfile AppleTimestampCA.cer
    
    # download Apple Root certificate
    Invoke-WebRequest -Uri 'https://www.apple.com/appleca/AppleIncRootCertificate.cer' -Outfile AppleIncRootCertificate.cer
    
    # convert from der to pem format
    openssl x509 -inform der -in AppleIncRootCertificate.cer -out AppleIncRootCertificate.pem

• Consider that Time Stamp Server certificates will change as they are frequently updated.

Apply the following commands to check Time Stamp Server certificates :

# download release tarball
curl 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_unix.2.5.3.tar.gz' -o js7_agent_unix.2.5.3.tar.gz

# download timestamp
curl 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_unix.2.5.3.tar.gz.tsr' -o js7_agent_unix.2.5.3.tar.gz.tsr

# verify timestamp
openssl ts -verify -sha256 -in js7_agent_unix.2.5.3.tar.gz.tsr -data js7_agent_unix.2.5.3.tar.gz -CAfile AppleIncRootCertificate.pem -untrusted AppleTimestampCA.cer

For Windows the OpenSSL utility might not be available out-of-the-box. Check to download OpenSSL for Windows from a secure site. The below example makes use of PowerShell and the OpenSSL utility.

# download release tarball
Invoke-WebRequest -Uri 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_windows.2.5.3.zip' -Outfile js7_agent_windows.2.5.3.zip

# download timestamp
Invoke-WebRequest -Uri 'https://download.sos-berlin.com/JobScheduler.2.5/js7_agent_windows.2.5.3.zip.tsr' -Outfile js7_agent_windows.2.5.3.zip.tsr

# verify timestamp (some OpenSSL versions might require a configuration file to be specified)
$tempFile = New-TemporaryFile
openssl ts -verify -sha256 -in js7_agent_windows.2.5.3.zip.tsr -data js7_agent_windows.2.5.3.zip -CAfile AppleIncRootCertificate.pem -untrusted AppleTimestampCA.cer -config $tempFile

Further Resources

• JS7 - Verifying signatures of PowerShell scripts