Space Products Support: PublicKey

PublicKey

Verifying Digital Deliveries from Kratos

Summary:

This document contains a step by step procedure describing how to verify that a customer delivery is from Kratos and has not been modified in transit. The verification process is based on md5sum and gpg.

Verification Requirements:

  1. Linux system with gpg (version >= 1.4) and md5sum installed.
  2. Public gpg key provided by Kratos. The RTL public key can be downloaded here.
  3. md5sum log file provided by Kratos, default format:
    sn<serial_number>_md5sum.txt
    . This md5sum file contains a list of md5sum checksums for every file delivered with the media that has serial number <serial_number>. The serial number is a six digit number such as 116394.
  4. Detached gpg signature file provided by Kratos, default format:
    sn<serial_number>_md5sum.sig
    . This detached gpg signature file is based on the
    sn<serial_number>_md5sum.txt
    file, and must be verified together.

Verification Procedure:

  1. Copy the gpg public key, md5sum log file, and gpg detached signature file to a Linux machine in a temporary directory.
  2. Mount the contents of the CD/DVD or copy the contents of the delivery to a local directory on the Linux machine. If the deliverable is a *.iso or *.udf file, make sure that the contents of the iso or udf are listed. Usually mounting a CD or DVD with an iso or udf will automatically show the contents, but if not a loopback mount can be used to show the contents of an iso or udf:
    Example (as root):
    # mkdir /mnt/temp_iso_extract

    # mount -o loop /tmp/my_deliverable_file.iso /mnt/temp_iso_extract
  3. Import and trust the gpg public key into your gpg keyring.
    Example (as your uid):
    $ gpg --import ./public.gpg-key

    $ gpg --edit-key publickeys@rtlogic.com

    Command > trust

    Your decision? 5
    (I trust ultimately)
    y

    q
  4. Compare the delivered files with the md5sum log file using the “
    md5sum -c
    “ command. This command must be run from the top level where the delivered files are staged on the Linux machine. Every file detected should return “OK” from the md5sum output.

    Commands:
    $ chdir <top_directory_deliverables>

    $ md5sum -c <log_dir>/sn<serial_number>_md5sum.txt


    Example (as your uid):
    $ cd /mnt/Vbox_temp

    $ md5sum -c /tmp/sn116394_md5sum.txt

    ./32Bit/Readme.txt: OK

    ./64Bit/Readme.txt: OK

    ./AUTORUN.INF: OK

    ./autorun.sh: OK

    ./cert/oracle-vbox.cer: OK

    ./cert/VBoxCertUtil.exe: OK

    ./OS2/gengradd.dll: OK

    ./OS2/libc06.dll: OK

    ./OS2/libc061.dll: OK

    ./OS2/libc062.dll: OK

    ./OS2/libc063.dll: OK

    ./OS2/libc064.dll: OK

    ./OS2/libc065.dll: OK

    ./OS2/readme.txt: OK

    ./OS2/VBoxControl.exe: OK

    ./OS2/VBoxGuest.sys: OK

    ./OS2/vboxmouse.sys: OK

    ./OS2/VBoxReplaceDll.exe: OK

    ./OS2/VBoxService.exe: OK

    ./runasroot.sh: OK

    ./VBoxLinuxAdditions.run: OK

    ./VBoxSolarisAdditions.pkg: OK

    ./VBoxWindowsAdditions.exe: OK

    ./VBoxWindowsAdditions-amd64.exe: OK

    ./VBoxWindowsAdditions-x86.exe: OK
  5. Verify that the detached gpg signature file matches the md5sum log. The command should return:
    gpg: Good signature from "RT Logic (Real-Time Logic, Inc.) <publickeys@rtlogic.com>"


    Command:
    $ gpg --verify sn<serial_number>_md5sum.sig sn<serial_number>_md5sum.txt


    Example:
    $ gpg --verify sn116394_md5sum.sig sn116394_md5sum.txt

    gpg: Signature made Fri 30 Jun 2017 11:06:05 AM MDT using RSA key ID 89D8163C

    gpg: checking the trustdb

    gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model

    gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

    gpg: next trustdb check due at 2020-06-26

    gpg: Good signature from "RT Logic (Real-Time Logic, Inc.) <publickeys@rtlogic.com>"