PublicKey

Verifying Digital Deliveries from Kratos RT Logic


Summary:

This document contains a step by step procedure describing how to verify that a customer delivery is from Kratos RT Logic and has not been modified in transit. The verification process is based on md5sum and gpg.

Verification Requirements:

  1. Linux system with gpg (version >= 1.4) and md5sum installed.

  2. Public gpg key provided by Kratos RT Logic. The RTL public key can be downloaded here.

  3. md5sum log file provided by Kratos RT Logic, default format: sn<serial_number>_md5sum.txt. This md5sum file contains a list of md5sum checksums for every file delivered with the media that has serial number <serial_number>. The serial number is a six digit number such as 116394.

  4. Detached gpg signature file provided by RTL, default format: sn<serial_number>_md5sum.sig. This detached gpg signature file is based on the sn<serial_number>_md5sum.txt file, and must be verified together.
Verification Procedure:
  1. Copy the gpg public key, md5sum log file, and gpg detached signature file to a Linux machine in a temporary directory.

  2. Mount the contents of the CD/DVD or copy the contents of the delivery to a local directory on the Linux machine. If the deliverable is a *.iso or *.udf file, make sure that the contents of the iso or udf are listed. Usually mounting a CD or DVD with an iso or udf will automatically show the contents, but if not a loopback mount can be used to show the contents of an iso or udf:
    Example (as root):
    # mkdir /mnt/temp_iso_extract
    # mount -o loop /tmp/my_deliverable_file.iso /mnt/temp_iso_extract

  3. Import and trust the gpg public key into your gpg keyring.
    Example (as your uid):
    $ gpg --import ./public.gpg-key
    $ gpg --edit-key publickeys@rtlogic.com
    Command > trust
    Your decision? 5 (I trust ultimately)
    y
    q

  4. Compare the delivered files with the md5sum log file using the “md5sum -c“ command. This command must be run from the top level where the delivered files are staged on the Linux machine. Every file detected should return “OK” from the md5sum output.

    Commands:
    $ chdir <top_directory_deliverables>
    $ md5sum -c <log_dir>/sn<serial_number>_md5sum.txt

    Example (as your uid):
    $ cd /mnt/Vbox_temp
    $ md5sum -c /tmp/sn116394_md5sum.txt
    ./32Bit/Readme.txt: OK
    ./64Bit/Readme.txt: OK
    ./AUTORUN.INF: OK
    ./autorun.sh: OK
    ./cert/oracle-vbox.cer: OK
    ./cert/VBoxCertUtil.exe: OK
    ./OS2/gengradd.dll: OK
    ./OS2/libc06.dll: OK
    ./OS2/libc061.dll: OK
    ./OS2/libc062.dll: OK
    ./OS2/libc063.dll: OK
    ./OS2/libc064.dll: OK
    ./OS2/libc065.dll: OK
    ./OS2/readme.txt: OK
    ./OS2/VBoxControl.exe: OK
    ./OS2/VBoxGuest.sys: OK
    ./OS2/vboxmouse.sys: OK
    ./OS2/VBoxReplaceDll.exe: OK
    ./OS2/VBoxService.exe: OK
    ./runasroot.sh: OK
    ./VBoxLinuxAdditions.run: OK
    ./VBoxSolarisAdditions.pkg: OK
    ./VBoxWindowsAdditions.exe: OK
    ./VBoxWindowsAdditions-amd64.exe: OK
    ./VBoxWindowsAdditions-x86.exe: OK

  5. Verify that the detached gpg signature file matches the md5sum log. The command should return:
    gpg: Good signature from "RT Logic (Real-Time Logic, Inc.) <publickeys@rtlogic.com> "
    Command:
    $ gpg --verify sn<serial_number>_md5sum.sig sn<serial_number>_md5sum.txt
    Example:
    $ gpg --verify sn116394_md5sum.sig sn116394_md5sum.txt
    gpg: Signature made Fri 30 Jun 2017 11:06:05 AM MDT using RSA key ID 89D8163C
    gpg: checking the trustdb
    gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
    gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
    gpg: next trustdb check due at 2020-06-26
    gpg: Good signature from "RT Logic (Real-Time Logic, Inc.) <publickeys@rtlogic.com> "