PublicKey

Verifying Digital Deliveries from RT Logic


Summary:

This document contains a step by step procedure describing how to verify that a customer delivery is from RT Logic and has not been modified in transit. The verification process is based on md5sum and gpg.

Verification Requirements:

  1. Linux system with gpg (version >= 1.4) and md5sum installed.

  2. Public gpg key provided by RT Logic. The RTL public key can be downloaded here.

  3. md5sum log file provided by RTL, default format: sn<serial_number>_md5sum.txt. This md5sum file contains a list of md5sum checksums for every file delivered with the media that has serial number <serial_number>. The serial number is a six digit number such as 116394.

  4. Detached gpg signature file provided by RTL, default format: sn<serial_number>_md5sum.sig. This detached gpg signature file is based on the sn<serial_number>_md5sum.txt file, and must be verified together.
Verification Procedure:
  1. Copy the gpg public key, md5sum log file, and gpg detached signature file to a Linux machine in a temporary directory.

  2. Mount the contents of the CD/DVD or copy the contents of the delivery to a local directory on the Linux machine. If the deliverable is a *.iso or *.udf file, make sure that the contents of the iso or udf are listed. Usually mounting a CD or DVD with an iso or udf will automatically show the contents, but if not a loopback mount can be used to show the contents of an iso or udf:
    Example (as root):
    # mkdir /mnt/temp_iso_extract
    # mount -o loop /tmp/my_deliverable_file.iso /mnt/temp_iso_extract

  3. Import and trust the gpg public key into your gpg keyring.
    Example (as your uid):
    $ gpg --import ./public.gpg-key
    $ gpg --edit-key publickeys@rtlogic.com
    Command > trust
    Your decision? 5 (I trust ultimately)
    y
    q

  4. Compare the delivered files with the md5sum log file using the “md5sum -c“ command. This command must be run from the top level where the delivered files are staged on the Linux machine. Every file detected should return “OK” from the md5sum output.

    Commands:
    $ chdir <top_directory_deliverables>
    $ md5sum -c <log_dir>/sn<serial_number>_md5sum.txt

    Example (as your uid):
    $ cd /mnt/Vbox_temp
    $ md5sum -c /tmp/sn116394_md5sum.txt
    ./32Bit/Readme.txt: OK
    ./64Bit/Readme.txt: OK
    ./AUTORUN.INF: OK
    ./autorun.sh: OK
    ./cert/oracle-vbox.cer: OK
    ./cert/VBoxCertUtil.exe: OK
    ./OS2/gengradd.dll: OK
    ./OS2/libc06.dll: OK
    ./OS2/libc061.dll: OK
    ./OS2/libc062.dll: OK
    ./OS2/libc063.dll: OK
    ./OS2/libc064.dll: OK
    ./OS2/libc065.dll: OK
    ./OS2/readme.txt: OK
    ./OS2/VBoxControl.exe: OK
    ./OS2/VBoxGuest.sys: OK
    ./OS2/vboxmouse.sys: OK
    ./OS2/VBoxReplaceDll.exe: OK
    ./OS2/VBoxService.exe: OK
    ./runasroot.sh: OK
    ./VBoxLinuxAdditions.run: OK
    ./VBoxSolarisAdditions.pkg: OK
    ./VBoxWindowsAdditions.exe: OK
    ./VBoxWindowsAdditions-amd64.exe: OK
    ./VBoxWindowsAdditions-x86.exe: OK

  5. Verify that the detached gpg signature file matches the md5sum log. The command should return:
    gpg: Good signature from "RT Logic (Real-Time Logic, Inc.) <publickeys@rtlogic.com> "
    Command:
    $ gpg --verify sn<serial_number>_md5sum.sig sn<serial_number>_md5sum.txt
    Example:
    $ gpg --verify sn116394_md5sum.sig sn116394_md5sum.txt
    gpg: Signature made Fri 30 Jun 2017 11:06:05 AM MDT using RSA key ID 89D8163C
    gpg: checking the trustdb
    gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
    gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
    gpg: next trustdb check due at 2020-06-26
    gpg: Good signature from "RT Logic (Real-Time Logic, Inc.) <publickeys@rtlogic.com> "

Visit Our Careers Page

Check out our listings and become a part of the team.

Contact

Edward A. Pforr
RT Logic QA Manager, (719) 884-6347 (direct), or at epforr@rtlogic.com