Refer to the following sections for details about the purpose, intended audience, and scope of this document.

Document Purpose

The purpose of this document is to outline how to manually validate the digital signatures of resources provided by Progress Kemp. Resources such as firmware, patches, and add-ons have associated XML files which contain the MD5 and SHA-256 checksums of the resource and are digitally signed by Progress Kemp.

You can automatically validate digital signatures easily using the Web User Interface (WUI). Simply enable the Display Verify Update Option check box in System Configuration > Miscellaneous Options > WUI Settings. This provides an option to upload the XML verification file when updating the software or installing an add-on file on the System Configuration > System Administration > Update Software page.

Intended Audience

This document is intended to guide any administrator or corporate security officer through the options to validate the integrity and authenticity of downloaded Progress Kemp resources.

Scope

This document provides details on how to manually validate the digital signatures of resources provided by Progress Kemp.

Progress Kemp Digital Signatures

All releases and associated add-on packages are digitally signed using XML-format signature files (also known as 'detached signatures') that conform to the best practices defined by the World Wide Web Consortium (W3C) for XML Signature Syntax and Processing. The XML signature filenames include the filename of the downloaded installation package as a prefix with the extension .checksum.xml.

The digital signing process employs an SSL certificate that has an expiration date. When the certificate reaches its expiration date, signature validation using this certificate will fail. Therefore, vendors need to update this certificate occasionally so that verification of digital signatures continues to work.

CAUTION: On May 27th 2022, the SSL certificate used to sign release artifacts for version 7.2.56.x and prior releases expired.

All releases that occur after the above date (for example, 7.2.57.0) will be digitally signed using a newly obtained certificate.

What Does This Mean To You?

After 27th May 2022, verifying digital signatures for Operating System (OS) images and add-on packages will work only if the image or add-on package was signed with the new certificate. So, for example, you will be able to verify the XML signature in these scenarios:

  • Updating 7.2.55.0 to 7.2.57.0 (or a later version).

  • Installing an add-on package released with 7.2.57.0 (or a later version).

Verifying XML signatures will not work if you attempt to update the system with any OS update image or add-on package signed with the earlier, expired certificate. So, for example, XML signature verification will fail in these scenarios:

  • Updating any release using an OS 7.2.56.0 image.

  • Updating any release with the 7.2.55.0 Network Telemetry add-on package.

In these cases, you will need to skip XML signature verification when installing the OS image or add-on package. This can be done by navigating to System Configuration > Miscellaneous Options > WUI Settings and setting the Update Verification Options field to Optional. This allows you to skip XML verification when you install the image. Once the update is complete, XML verification for future upgrades can once again be set to Required (if desired).

XML Signature Validation

There are a number of different approaches to validation of detached XML signature files. The XML signature file is viewable in a text editor and looks something like the following:

SHA-256 Checksum Comparison

The basic process to validate the integrity of a Progress Kemp resource is to do a checksum comparison:

  1. Perform a local SHA-256 checksum on the downloaded Progress Kemp resource.
    • On Windows: certUtil -hashfile <PathToResource> SHA256
    • On Unix: sha256sum <PathToResource>
  2. Compare the locally generated SHA-256 checksum with the checksum contained in the XML signature file. To do this, open the XML signature file in a text editor and compare the SHA-256 checksum under <checksum><sha256> with the locally generated one. If these values do not match, then the original resource has been altered and should not be trusted.
  3. If the checksums match, validate the digital signature of the XML signature file.

Verifying the XML Digital Signature

A number of tools exist to validate detached XML signatures as provided by Progress Kemp. We recommend using the XMLSec Library (https://www.aleksey.com/xmlsec/) to verify the authenticity of XML signature files. This site provides sources and downloadable binaries for Windows platforms. This tool is available on many Linux environments as the xmlsec1 command.

XML 7.2.50 and Below

Verify the authenticity of the digital signature for XML files version 7.2.50 and below using the following xmlsec1 command.

xmlsec1 -–verify <XMLSignatureFile>

If there are any errors in the output of the above command, the XML signature file has been altered and should not be trusted.

XML 7.2.57 and Above

As of firmware version 7.2.57 there is a new certificate used to verify the authenticity of the XML digital signature. To verify the authenticity of the XML digital signature, you must first download the Progress Kemp certificate bundle.

This downloads a zip archive with three certificates:

  1. root.kemp.crt – Root Progress Kemp CA certificate
  2. ca.kemp.crt – Intermediate Progress Kemp CA certificate
  3. codesign.kemp.crt – Progress Kemp code signing certificate

Unzip the archive into a desired location.

Verify the authenticity of the digital signature for XML files version 7.2.57 and above using the following xmlsec1 command.

xmlsec1 --verify --enabled-key-data x509 --trusted-pem root.kemp.crt --trusted-pem ca.kemp.crt <XMLSignatureFile>

The expected output of successful verification is as follows:

OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0

If there are any errors in the output of the above command, the XML signature file has been altered and should not be trusted.