Manually verifying hotfix files by using third-party tools
For systems running Pega Platform 8.5 and later with no outbound URL connections, or for earlier versions of Pega Platform, you can use third-party tools to manually verify the digital certificate for a hotfix file.
This procedure assumes a Linux operating system.
Ensure that you have the following packages:
If your instance of Pega Platform 8.5 or later does not allow outbound URL connections, disable revocation checking by changing the value of the hotfixmanager.enableRevocation dynamic setting for the Pega-UpdateManager ruleset from
For more information, see Editing a dynamic system setting.Disabling revocation checking reduces the security of hotfix files. Disable the setting only if you are using third-party tools to verify the hotfix files.
Verify that the certificate is authentic and that it belongs to Pega:
SIGFILE.JSONfile from the
CATALOG.ZIPfile or the
DL-<id>.zipfile.In the certificates object inside the
SIGFILE.JSONfile are two values. For the purposes of this procedure, they are called
intermediate, in that order.
Use Base64 to decode each value into its own file by entering the following command:
echo (certificate value) | base64 --decode > (pegasystems/intermediate).der
You use the
pegasystems.derfile to verify the hotfix later in this procedure.
Translate each certificate into the
.crtformat by entering the following command:
openssl x509 -in (pegasystems/intermediate).der -inform der > (pegasystems/intermediate).crt
View the first certificate as text and verify that the subject of the certificate has the following values:
C = US, ST = Massachusetts, L = Cambridge, O = Pegasystems Inc., CN = Pegasystems Inc..
openssl x509 -in pegasystems.crt -text -noout
Verify the certificate chain. If the response is
pegasystems.crt: OK, the verification was successful.
openssl verify -crl_download -crl_check -untrusted intermediate.crt pegasystems.crt
Use the certificate's public key and the included signatures to verify the integrity of each file.
Extract the public key from the pegasystems certificate.
openssl x509 -pubkey -noout -in pegasystems.der -inform der > pubkey.pub
Copy the value for the
signatureobject for the file that you are verifying and use Base64 to decode this value to a file.
echo (signature value) | base64 --decode > signature.sig
Extract the file that you want to verify from the
CATALOG.ZIPfile or the
Verify the signature of the extracted file. If the response is
Verified OK, the verification was successful.
openssl dgst -verify pubkey.pub -keyform PEM -sha256 -signature signature.sig (file)