Digital Signatures (Optional)
More4apps utilises digital signatures to ensure the software provided is verified, secure and safe to use. The servlet jar file and database package file provided by More4apps can be optionally verified using a public key with detached digital signatures. This allows you to check the integrity of the files before installing into your E-Business instance.
You can verify these files on the Windows OS before transferring them to your servers. To perform the verification a PGP tool, for example GNUPG is required.
Verification process:
-
Extract the files
Extract the
m4aps_install.zip
file to a local directory and open a Command window in this directory. -
Import (Receive) the Public Key
The More4apps Public Key can be imported (received) with this command:
gpg --recv-keys 5D8B6113F5099742
-
Set the Trust Level for the Public Key
You must set the trust level for the More4apps Public Key with this command:
gpg --edit-key More4apps
Respond to the prompts as follows:
trust 5 y quit
-
Verify the Files with the Public Key
The servlet file and package body files come with an external signature file signed with our private key. You can verify that the files have not been tampered with by running the following commands:
gpg --verify m4aServlet.jar.sig m4aServlet.jar gpg --verify M4APS_XML.plbb.sig M4APS_XML.plbb gpg --verify M4APS_XML_R12.plbb.sig M4APS_XML_R12.plbb
A valid signature will have this output:
gpg: Signature made 12/03/2021 12:15:09 pm New Zealand Daylight Time gpg: using RSA key 1D8A523E3FCB060800FC17065D8B6113F5099742 gpg: Good signature from "More4apps (More4apps key for Digital Certificates) <bevan.wheeler@more4apps.com>;"
Please contact More4apps support if the signature cannot be verified.