Verifying software downloads

This topic describes how to verify the digital signature of the signed file that you downloaded from the Customer Support website. Verification ensures that the downloaded package has not been altered since it was signed and posted to the site. Before proceeding with verification, download the OpenText Application Security Software product files and their associated signature (*.sig) files. You are not required to verify the package to use the software, but your organization might require it for security reasons.

Preparing your system for digital signature verification

These instructions describe a third-party product and might not match the specific, supported version you are using. See your product documentation for the instructions for your version.

To prepare your system for electronic media verification:

  1. Go to the GnuPG website.
  2. Download and install GnuPG Privacy Guard.

  3. Generate a private key, as follows:

    1. Run the following command (on a Windows system, run the command without the $ prompt):

      $ gpg ‑‑gen‑key

    2. When prompted for key type, select DSA and Elgamal.
    3. When prompted for a key size, select 2048.
    4. When prompted for the length of time the key should be valid, select key does not expire.
    5. Answer the user identification questions and provide a passphrase to protect your private key.

  4. Download the OpenText GPG public keys (compressed tar file) from https://mysupport.microfocus.com/documents/10180/0/MF_public_keys.tar.gz.

  5. Extract the public keys.

  6. Import each downloaded key with GnuPG with the following command:

    gpg --import <path_to_key>/<key_file>