Manually verifying hotfix files by using third-party tools
For systems running Pega Platform 8.5 and later with no outbound URL connections, or for earlier versions of Pega Platform, you can use third-party tools to manually verify the digital certificate for a hotfix file.
This procedure assumes a Linux operating system.
Ensure that you have the following packages:
-
Base64
-
OpenSSL (https://www.openssl.org/)
-
If your instance of Pega Platform 8.5 or later does not allow outbound URL connections, disable revocation checking by changing the value of the hotfixmanager.enableRevocation dynamic setting for the Pega-UpdateManager ruleset from
true
tofalse
.For more information, see Editing a dynamic system setting.
Disabling revocation checking reduces the security of hotfix files. Disable the setting only if you are using third-party tools to verify the hotfix files. -
Verify that the certificate is authentic and that it belongs to Pega:
-
Extract the
SIGFILE.JSON
file from theCATALOG.ZIP
file or theDL-<id>.zip
file.In the certificates object inside theSIGFILE.JSON
file are two values. For the purposes of this procedure, they are calledpegasystems
andintermediate
, in that order. -
Use Base64 to decode each value into its own file by entering the following command:
echo (certificate value) | base64 --decode > (pegasystems/intermediate).der
You use thepegasystems.der
file to verify the hotfix later in this procedure. -
Translate each certificate into the
.crt
format by entering the following command:openssl x509 -in (pegasystems/intermediate).der -inform der > (pegasystems/intermediate).crt
-
View the first certificate as text and verify that the subject of the certificate has the following values:
C = US, ST = Massachusetts, L = Cambridge, O = Pegasystems Inc., CN = Pegasystems Inc.
.openssl x509 -in pegasystems.crt -text -noout
-
Verify the certificate chain. If the response is
pegasystems.crt: OK
, the verification was successful.openssl verify -crl_download -crl_check -untrusted intermediate.crt pegasystems.crt
-
-
Use the certificate's public key and the included signatures to verify the integrity of each file.
-
Extract the public key from the pegasystems certificate.
openssl x509 -pubkey -noout -in pegasystems.der -inform der > pubkey.pub
-
Copy the value for the
signature
object for the file that you are verifying and use Base64 to decode this value to a file.echo (signature value) | base64 --decode > signature.sig
-
Extract the file that you want to verify from the
CATALOG.ZIP
file or theDL-<id>.zip
file. -
Verify the signature of the extracted file. If the response is
Verified OK
, the verification was successful.openssl dgst -verify pubkey.pub -keyform PEM -sha256 -signature signature.sig (file)
-