Close popover

Table of Contents

Manually verifying hotfix files by using third-party tools

For systems running Pega Platform 8.5 and later with no outbound URL connections, or for earlier versions of Pega Platform, you can use third-party tools to manually verify the digital certificate for a hotfix file.

Do not attempt to perform this procedure if you are not familiar with Linux, Base64, and OpenSSL.

This procedure assumes a Linux operating system.

Ensure that you have the following packages:

  • Base64

  • OpenSSL (

  1. If your instance of Pega Platform 8.5 or later does not allow outbound URL connections, disable revocation checking by changing the value of the hotfixmanager.enableRevocation dynamic setting for the Pega-UpdateManager ruleset from true to false.

    For more information, see Editing a dynamic system setting.

    Disabling revocation checking reduces the security of hotfix files. Disable the setting only if you are using third-party tools to verify the hotfix files.
  2. Verify that the certificate is authentic and that it belongs to Pega:

    1. Extract the SIGFILE.JSON file from the CATALOG.ZIP file or the DL-<id>.zip file.

      In the certificates object inside the SIGFILE.JSON file are two values. For the purposes of this procedure, they are called pegasystems and intermediate, in that order.
    2. Use Base64 to decode each value into its own file by entering the following command:

      echo (certificate value) | base64 --decode > (pegasystems/intermediate).der
      You use the pegasystems.der file to verify the hotfix later in this procedure.
    3. Translate each certificate into the .crt format by entering the following command:

      openssl x509 -in (pegasystems/intermediate).der -inform der > (pegasystems/intermediate).crt
    4. View the first certificate as text and verify that the subject of the certificate has the following values: C = US, ST = Massachusetts, L = Cambridge, O = Pegasystems Inc., CN = Pegasystems Inc..

      openssl x509 -in pegasystems.crt -text -noout
    5. Verify the certificate chain. If the response is pegasystems.crt: OK, the verification was successful.

      openssl verify -crl_download -crl_check -untrusted intermediate.crt pegasystems.crt
  3. Use the certificate's public key and the included signatures to verify the integrity of each file.

    1. Extract the public key from the pegasystems certificate.

      openssl x509 -pubkey -noout -in pegasystems.der -inform der >
    2. Copy the value for the signature object for the file that you are verifying and use Base64 to decode this value to a file.

      echo (signature value) | base64 --decode > signature.sig
    3. Extract the file that you want to verify from the CATALOG.ZIP file or the DL-<id>.zip file.

    4. Verify the signature of the extracted file. If the response is Verified OK, the verification was successful.

      openssl dgst -verify -keyform PEM -sha256 -signature signature.sig (file)

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.