OpenPGP

V100R001C00
Signature Verification
Guide

Issue 04

Date 2020-02-29

HUAWEI TECHNOLOGIES CO., LTD.

Network Security Competent Center.

Copyright © Huawei Technologies Co., Ltd. 2014-2020 All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

is a trademark of Network Security Competent Center.

is a trademark of PGPVerify Tool.

All other trademarks and trade names mentioned in this document are the property of their respective
holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com

Email: [email protected]

Issue 04 (2020-02-29) Huawei Proprietary and Confidential i

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide About This Document

About This Document

Purpose
This document describes OpenPGP signature tools, and verification process.

Intended Audience
This document is intended for:
 Installation and commissioning engineers
 Technical support engineers

Symbol Conventions
The symbols that may be found in this document are defined as follows.

Symbol Description
Indicates an imminently hazardous situation which, if not
avoided, will result in death or serious injury.

Indicates a potentially hazardous situation which, if not

avoided, could result in death or serious injury.

Indicates a potentially hazardous situation which, if not

avoided, may result in minor or moderate injury.

Indicates a potentially hazardous situation which, if not

avoided, could result in equipment damage, data loss,
performance deterioration, or unanticipated results.
NOTICE is used to address practices not related to personal
injury.
Calls attention to important information, best practices and
tips.
NOTE is used to address information not related to personal
injury, equipment damage, and environment deterioration.

Issue 04 (2020-02-29) Huawei Proprietary and Confidential ii

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide About This Document

Change History
Changes between document issues are cumulative. The latest document issue contains all the
changes made in earlier issues.

Issue 01 (2014-11-20)
This issue is used for first office application (FOA).

Issue 02 (2017-09-01)
1. Change the description of the signature verification procedure.
2. Upgrade the PGPVerify Tool to V100R001C00SPC310.

Issue 03 (2017-12-12)
1. Add handle suggestion when verify failed.
2. Upgrade the PGPVerify tool to V100R001C00SPC320.

Issue 04(2020-02-20)
Added verification guidance for OpenPGP key length of 4096.

PGPVerify Tool Update History

Changes between PGPVerify tool releases are cumulative. The latest document issue contains
all the change made in earlier issues.

Release V100R001C00SPC200:
1. This is the first version of PGPVerify tool, which offered verification function for PGP
signature.

Release V100R001C00SPC310:
1. Upgrade liberary openssl to version 1.1.0f;
2. Replace icon for applicatoin with UI under Windows OS;
3. Change UI style to fit Windows 7;
4. Show a confirm dialog when closing the application window.

Issue 04 (2020-02-29) Huawei Proprietary and Confidential iii

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide About This Document

Release V100R001C00SPC320:
1. Add version properities for PGPVerify tool under windows;
2. Add timestamp for PGPVerify tool under windows.

Issue 04 (2020-02-29) Huawei Proprietary and Confidential iv

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide Contents

Contents

About This Document .................................................................................................................... ii

1 OpenPGP Overview ..................................................................................................................... 7
2 Description Of The Public Key File .......................................................................................... 8
3 GnuPG (Linux) .............................................................................................................................. 9
3.1 Background ...................................................................................................................................................... 9
3.2 Prerequisites ..................................................................................................................................................... 9
3.2.1 Installing GnuPG .................................................................................................................................... 9
3.2.2 Obtaining the Public Key File ............................................................................................................... 10
3.2.3 Importing the Public Key ...................................................................................................................... 14
3.2.4 Verifying the Public Key ....................................................................................................................... 15
3.3 Verifying the Signature ................................................................................................................................... 16

4 Gpg4Win (Windows).................................................................................................................. 20
4.1 Background .................................................................................................................................................... 20
4.2 Prerequisites ................................................................................................................................................... 20
4.2.1 Installing Gpg4Win ............................................................................................................................... 20
4.2.2 Obtaining the Public Key File ............................................................................................................... 23
4.2.3 Importing the Public Key ...................................................................................................................... 27
4.2.4 Verifying the Public Key ....................................................................................................................... 28
4.3 Verifying the Signature ................................................................................................................................... 29

5 PGPVerify (Windows&Linux) ................................................................................................. 33

5.1 Background .................................................................................................................................................... 33
5.2 Prerequisites ................................................................................................................................................... 33
5.2.1 Obtaining PGPVerify ............................................................................................................................ 33
5.2.2 Obtaining the Public Key File ............................................................................................................... 36
5.3 Verifying the Signature ................................................................................................................................... 37
5.3.1 Verifying Through Operations on the UI .............................................................................................. 37
5.3.2 Verification Through the CLI (Windows) ............................................................................................. 40
5.3.3 Verification Through the CLI (Linux) ................................................................................................... 41

6 FAQs .............................................................................................................................................. 44
6.1 The Application Scope for use Verification Tool? .......................................................................................... 44

Issue 04 (2020-02-29) Huawei Proprietary and Confidential v

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide Contents

6.2 How to Obtain version of Verification Tool? ................................................................................................. 44

6.3 How to Obtain an .asc File? ........................................................................................................................... 46
6.4 How to Obtain the Public Key or Verification Tools? .................................................................................... 47
6.5 How Is Signature Verification Implemented? ................................................................................................ 49
6.6 How to Switch the Language of a Web Page from Chinese to English? ........................................................ 50
6.7 How to Rectify the Failure in Long Path Verification Using the PGPVerify.exe Command? ........................ 50
6.8 How to Obtain and Use the PGPVerify (Solaris/Linux) Tool? ....................................................................... 50

Issue 04 (2020-02-29) Huawei Proprietary and Confidential vi

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide Contents

1 OpenPGP Overview

OpenPGP is an open security protocol standard (RFC4880) that widely applies to data
encryption and signature. It has multiple commercial and non-commercial implementations,
including Pretty Good Privacy (PGP) and GNU Privacy Guard (GnuPG). GnuPG is
transplanted into multiple platforms, such as Linux and Windows and pre-installed in most
Linux versions.
OpenPGP includes an independent digital signature standard that differentiates itself from
other standards by the key storage and distribution method, message digest calculation
process, signature packet format, and verification process.

Verification Tool Introduction

Select tools based on the operating systems to implement OpenPGP signature verification, as
shown in the following table.

Tool Name Operating Tool Description

System

GNU Privacy Linux GnuPG is a free open-source GNC tool that implements
Guard (GnuPG) the OpenPGP standard defined in RFC4880. It is pre-
installed in most Linux versions.
Official website: http://www.gnupg.org
GNU Privacy Windows Gpg4Win is the official Windows version of GnuPG.
Guard for The function and usage of Gpg4Win are the same as
Windows those of GnuPG.
(Gpg4Win) Official website: http://www.gpg4win.org/
PGPVerify.exe Windows PGPVerify is a PGP simplified verification tool
developed by Huawei.
Official website:
http://support.huawei.com/carrier/digitalSignatureAction

Issue 04 (2020-02-29) Huawei Proprietary and Confidential 7

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide Contents

2 Description Of The Public Key File

1.The KEYS.txt file is the public key file when the OpenPGP key length is 2048. The KEYS4096.txt file is the
public key file when the OpenPGP key length is 4096.
2.Compared with KEYS.txt, KEYS4096.txt increases the key length and the length of the signature result,
improving security.

Notice:
Because websites such as Huawei Support cannot upload files without suffixes, the "KEYS" file is renamed
to "KEYS.txt" and the "KEYS4096" file is renamed to "KEYS4096.txt" when publishing.

Issue 04 (2020-02-29) Huawei Proprietary and Confidential 8

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 3 GnuPG (Linux)

3 GnuPG (Linux)

To prevent threats to carrier networks caused by software tampering or damage in transit,

verify the integrity of software packages after receiving them. Only verified software
packages can be deployed.

3.1 Background
GnuPG is a free open-source GNC tool that verifies OpenPGP signatures in the SUSE Linux
operating system.
Software packages and signature files are released together and stored in the same directory. A
software package corresponds to a signature file.
The signature files use the same file names as those used by software packages, with file
name extension asc. For example, if the software package name is V100R001C04.zip, the
corresponding verification file name is V100R001C04.zip.asc.

3.2 Prerequisites
3.2.1 Installing GnuPG
GnuPG is pre-installed in most Linux versions. Run the gpg –version command in the shell.
If the following command output is displayed, GnuPG is installed.
signsrv:~ # gpg --version
gpg (GnuPG) 2.0.9
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 9

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 3 GnuPG (Linux)

Used libraries: gcrypt(1.4.5)

signsrv:~ #

If GnuPG is not installed in the current system, follow the guidance on the official website
(http://www.gnupg.org/) to install it.

3.2.2 Obtaining the Public Key File

Downloading the File from the Support Website
 Download the public key file from the following URL at
http://support.huawei.com/carrier:
http://support.huawei.com/carrier/digitalSignatureAction
The target web page may be displayed in Chinese. Click English on the top of the web page
to switch the language to English. so that the the English document can be downloaded.

Figure 3-1 Web page for downloading the public key file from http://support.huawei.com/carrier

 Download the public key file from the following URL at

http://support.huawei.com/enterprise:
http://support.huawei.com/enterprise/en/tool/software-digital-signature-validation-
tool-%EF%BC%88pgp-verify%EF%BC%89-TL1000000054
The target web page may be displayed in Chinese. Click Worldwide on the top of the web
page to switch the language to English, so that the the English document can be downloaded.

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 10

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 3 GnuPG (Linux)

Figure 3-2 Web page for downloading the public key file from
http://support.huawei.com/enterprise

 Download the public key file from the terminal knowledge base at the following URL:
http://app.huawei.com/tkb/#!tservice/common/base/digit.html?resourceId=146680
To download the public key file from the terminal knowledge base, perform the following
steps:
Step 1 Access http://app.huawei.com/tkb/#!tservice/common/base/digit.html?resourceId=146680.
Figure 3-3 shows the displayed web page.

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 11

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 3 GnuPG (Linux)

Figure 3-3 Web page for downloading the public key file from the terminal knowledge base

Step 2 Click Download to download the OpenPGP Signature Verification Guide.rar package.
If you have relevant permissions but an error is displayed, select the correct language.
Step 3 Decompress the downloaded OpenPGP Signature Verification Guide.rar package.
The KEYS.txt or KEYS4096.txt file is the public key file.
----End

Obtaining from the Public Key Server

Step 1 Access the public key server at the following URL:
https://zimmermann.mayfirst.org
The result is displayed, as shown in Figure 3-4.

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 12

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 3 GnuPG (Linux)

Figure 3-4 Public key server address page

Enter " OpenPGP signature key for Huawei software "in the String text box, and click" Search
for a key" to search for the public key.

Figure 3-5 Public key search result

Step 2 Click public key ID 27A74842 to check the details, as shown in Figure 3-6. If the public key
length is 4096, the corresponding ID is 6ADE4A56.

Figure 3-6 Public key details

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 13

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 3 GnuPG (Linux)

Step 3 Copy the public key information to a TXT file and name it as KEYS.txt. If the public key
length is 4096, save it as a KEYS4096.txt file.
----End

3.2.3 Importing the Public Key

Step 1 Log in to the server that contains the software package to be verified as a common user.
Step 2 Import the public key file. Set /home/openpgp/keys to the actual path of the public key file
KEYS.txt.
Access the directory of public key file KEYS.txt and run the following command:
# gpg --import "/home/openpgp/keys/KEYS.txt"
When sign data lenth is 4096, please select KEYS4096.txt for the public key file.

The following output is displayed for key length of 2048:

gpg: key 27A74824: public key "OpenPGP signature key for Huawei software (created
on 30th Dec,2013) <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

The following output is displayed for key length of 4096:

gpg: key 6ADE4A56: public key "OpenPGP signature key for Huawei software (created
on 15th Jun,2019) <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

In this command, two hyphens precede import.

Step 3 Run the following command to check the public key import result.
# gpg --fingerprint

If the following output is displayed, the public key is successfully imported.

The following output is displayed for key length of 2048:

pub 2048R/27A74824 2013-12-30

Key fingerprint = B100 0AC3 8C41 525A 19BD C087 99AD 81DF 27A7 4824
uid OpenPGP signature key for Huawei software (created on 30th
Dec,2013) [email protected]

The following output is displayed for key length of 4096:

pub 4096R/6ADE4A56 2019-06-15

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 14

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 3 GnuPG (Linux)

Key fingerprint = E128 5E9D 7E7F 0DB0 A659 48AF FAAA 7A2E 6ADE 4A56
uid OpenPGP signature key for Huawei software (created on 15th Jun,2019)
<[email protected]>

In this command, two hyphens precede fingerprint.

----End

3.2.4 Verifying the Public Key

Step 1 In normal cases, to verify the OpenPGP public key, you need to check the ID, fingerprint, and
user ID of the public key with the entity that releases the public key. Information about the
OpenPGP public keys released by Huawei is shown as follows:
The following output is displayed for key length of 2048:
 Public key ID: 27A74824
 Key fingerprint: B100 0AC3 8C41 525A 19BD C087 99AD 81DF 27A7 4824
 User ID (uid): OpenPGP signature key for Huawei software (created on 30th Dec,2013)
[email protected]
The following output is displayed for key length of 4096:
 Public key ID: 6ADE4A56
 Key fingerprint: E128 5E9D 7E7F 0DB0 A659 48AF FAAA 7A2E 6ADE 4A56
 User ID (uid): OpenPGP signature key for Huawei software (created on 15th Jun,2019)
<[email protected]>

After verifying the preceding information, set the trust level for the key.
Step 2 Run the following command to set the trust level.
# gpg --edit-key " OpenPGP signature key for Huawei software (created on
30th Dec,2013) " trust
set the trust level as follows, If the public key length is 4096
#gpg --edit-key " OpenPGP signature key for Huawei software (created on
15th Jun,2019) " trust

The output resembles the following information. You need to enter 5 behind Your decision?
to indicate I trust ultimately and y behind you really want to set this key to ultimate trust?
(y/N).
gpg (GnuPG) 2.0.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: checking the trustdb

gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 15

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 3 GnuPG (Linux)

gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 2048R/27A74824 created: 2013-12-30 expires: never usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). OpenPGP signature key for Huawei software (created on 30th
Dec,2013) <[email protected]>

pub 2048R/27A74824 created: 2013-12-30 expires: never usage: SC

trust: ultimate validity: ultimate
[ultimate] (1). OpenPGP signature key for Huawei software (created on 30th
Dec,2013) <[email protected]>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

1 = I don't know or won't say

2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub 2048R/27A74824 created: 2013-12-30 expires: never usage: CS

trust: ultimate validity: unknown
[ unknown] (1). OpenPGP signature key for Huawei software (created on 30th
Dec,2013) <[email protected]>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

In this command, two hyphens precede edit.

Step 3 Run the following command to quit.

quit

----End

3.3 Verifying the Signature

The signature file must be in the same path as that of the software package. Set
/home/openpgp/soft to the actual path of the signature file. Run the following command to
verify the signature.
# gpg --verify "/home/openpgp/soft/V100R001C041.zip.asc"

The following output is displayed for key length of 2048:

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 16

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 3 GnuPG (Linux)

gpg: Signature made Thu Jan 9 15:29:06 2014 CST using RSA key ID 27A74824
gpg: Good signature from "OpenPGP signature key for Huawei software (created on
30th Dec,2013) <[email protected]>"

RSA key ID in bold is 27A74824, and there is no WARNING, which means this signature is
published by Huawei.
The following output is displayed for key length of 4096:
pg: Signature made Mon Dec 30 12:16:07 2019 CST using RSA key ID 6ADE4A56

gpg: Good signature from "OpenPGP signature key for Huawei software (created on 15th
Jun,2019) <[email protected]>"
RSA key ID in bold is 6ADE4A56, and there is no WARNING, which means this signature is
published by Huawei.

 If a version has multiple signature files to be verified, the version is considered secure only
when all the files pass the verification. If the verification result of a file is WARN or FAIL,
the version does not pass the verification and has security risks. In this case, try to solve
problem following the suggest action in table 3-1.
 In this command, two hyphens precede verify.

Table 3-1 Example for signature verification result judgment

Verification Output Example Verificati Suggest

Result on Result action
Scenario
Signature gpg: Signature made Thu Jan 9 15:29:06 PASS NA
verification 2014 CST using RSA key ID 27A74824
succeeds, with gpg: Good signature from "OpenPGP
no anomaly. signature key for Huawei software (created
on 30th Dec,2013)
<[email protected]>"
Signature gpg: Signature made Thu Jan 9 15:29:06 FAIL Download
verification 2014 CST using RSA key ID 27A74824 the
fails. gpg: BAD signature from "OpenPGP software
signature key for Huawei software (created package
on 30th Dec,2013) again, or
<[email protected]>" turn to
product
support
The public gpg: Signature made Thu Jan 9 15:20:01 FAIL Download
key is not 2014 CST using RSA key ID 27A74824 public key,
found. gpg: Can't check signature: public key not see:
found Obtaining
the Public
Key File

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 17

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 3 GnuPG (Linux)

Verification Output Example Verificati Suggest

Result on Result action
Scenario
Signature gpg: Signature made Thu Jan 9 15:29:06 WARNIN First check
verification 2014 CST using RSA key ID 27A74824 G if key ID is
succeeds, but gpg: Good signature from "OpenPGP 27A74824,
the public key signature key for Huawei software (created and set the
is not set to be on 30th Dec,2013) public key
completely <[email protected]>" to be fully
trusted. trusted,
gpg: WARNING: This key is not certified see:
with a trusted signature! Verifying
gpg: There is no indication that the Public
the signature belongs to the owner. Key
Primary key fingerprint: B100 0AC3 8C41
525A 19BD C087 99AD 81DF 27A7
4824
The gpg: no signed data FAIL Download
corresponding gpg: can't hash datafile: No data the
source file software
cannot be package
found. again, or
turn to
product
support
The signature gpg: Signature made 04/24/13 10:50:29 FAIL Download
has expired. CST using RSA key ID 133B64E5 the
gpg: Expired signature from " OpenPGP software
signature test key <[email protected]>" package
with
gpg: Signature expired 04/25/13 10:50:29 updated
CST signature,
or turn to
product
support
Signature gpg: Signature made 06/13/13 11:14:49 WARNIN Download
verification CST using RSA key ID 133B64E5 G the newest
succeeds, but gpg: Good signature from " OpenPGP public key
the public key signature test key <[email protected]>" and
is revoked. software
gpg: WARNING: This key has been package
revoked by its owner! with
gpg: This could mean that the signature is updated
forged. signature,
gpg: reason for revocation: Key is no or turn to
longer used product
support
gpg: revocation comment:

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 18

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 3 GnuPG (Linux)

Verification Output Example Verificati Suggest

Result on Result action
Scenario
The signature N/A WARNIN Download
file G signature
corresponding file of
to the source software
file cannot be package, or
found. turn to
product
support

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 19

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 4 Gpg4Win (Windows)

4 Gpg4Win (Windows)

To prevent threats to carrier networks caused by software tampering or damage in transit,

verify the integrity of software packages after receiving them. Only verified software
packages can be deployed.

4.1 Background
Gpg4Win is a free open-source GNU tool that verifies OpenPGP signatures in Windows. The
function and usage of Gpg4Win are the same as those of GnuPG. For details, visit its official
website http://www.gpg4win.org/.
A software package and its corresponding signature file are stored in the same directory.
The signature files use the same file names as those used by software packages, with the file
name extension being asc. For example, if the software package name is V100R001C04.zip,
the corresponding verification file name is V100R001C04.zip.asc.

4.2 Prerequisites
4.2.1 Installing Gpg4Win
First download the install package as follows:
Step 1 Visit https://www.gpg4win.org/download.html.
Step 2 Click the download link in the red box shown in the preceding figure. (Maybe the latest
version is not 3.1.11 as in this document, but the download link does not change. In the
following steps, you can ignore the version of the installation package.)

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 20

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 4 Gpg4Win (Windows)

Figure 4-1 Gpg4win download step 1

Step 3 Select Bank transfer.

Figure 4-2 Gpg4win download step 2

Step 4 Click the download link in the red box to download the installation package.

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 21

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 4 Gpg4Win (Windows)

Figure 4-3 Gpg4win download step 3

Then install the package as follows:

Step 5 Double-click gpg4win-3.11.1.exe and follow the installation wizard to install it . You can
keep the default settings.
Figure 4-4 Gpg4win install step

Step 6 Check whether it is successfully installed.

After installation, select the default installation path C:\Program Files (x86)\GNU\GnuPG>
(default installation path on the x86_64 Windows platform. The default installation path on
the x86 Windows platform is C:\Program Files\GNU\GnuPG>) and run the gpg.exe –
version command in the CLI. If the following output is displayed (the package version may
differ from the following one), Gpg4Win is successfully installed.

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 22

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 4 Gpg4Win (Windows)

Figure 4-5 Gpg4win introduction

In this command, two hyphens precede verify.

----End

4.2.2 Obtaining the Public Key File

Downloading the File from the Support Website
 Download the public key file from the following URL at
http://support.huawei.com/carrier:
http://support.huawei.com/carrier/digitalSignatureAction
The target web page may be displayed in Chinese. Click English on the top of the web
page to switch the language to English. Figure 4-6 shows the web page in English.
Download and decompress the OpenPGP Signature Verification Guide package to
obtain the KEYS.txt or KEYS4096.txt file (which is the public key file).

Figure 4-6 Web page for downloading the public key file from http://support.huawei.com/carrier

 Download the public key file from the following URL at

http://support.huawei.com/enterprise:

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 23

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 4 Gpg4Win (Windows)

 http://support.huawei.com/enterprise/en/tool/software-digital-signature-validation-
tool-%EF%BC%88pgp-verify%EF%BC%89-TL1000000054
The target web page may be displayed in Chinese. Click Worldwide on the top of the
web page to switch the language to English. Figure 4-7 shows the web page in English.
Click the version number in the Version list. Then click corresponding to the public
key file KEYS.txt or KEYS4096.txt to download the file.

Figure 4-7 Web page for downloading the public key file from
http://support.huawei.com/enterprise

 Download the public key file from the terminal knowledge base at the following URL:
http://app.huawei.com/tkb/#!tservice/common/base/digit.html?resourceId=146680
To download the public key file from the terminal knowledge base, perform the following
steps:
Step 1 Access http://app.huawei.com/tkb/#!tservice/common/base/digit.html?resourceId=146680.
Figure 4-8 shows the displayed web page.

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 24

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 4 Gpg4Win (Windows)

Figure 4-8 Web page for downloading the public key file from the terminal knowledge base

Step 2 Click Download to download the OpenPGP Signature Verification Guide.rar package.
If you have relevant permissions but an error is displayed, select the correct language.
Step 3 Decompress the downloaded OpenPGP Signature Verification Guide.rar package.
The KEYS.txt or KEYS4096.txt file is the public key file.
----End

Obtaining from the Public Key Server

Step 1 Access the public key server at the following URL:
https://zimmermann.mayfirst.org
The result is displayed, as shown in Figure 4-9.

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 25

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 4 Gpg4Win (Windows)

Figure 4-9 Public key server address page

Enter " OpenPGP signature key for Huawei software "in the String text box, and click" Search
for a key" to search for the public key.

Figure 4-10 Public key search result

Step 2 Click public key ID 27A74842 to check the details, as shown in Figure 4-11. If the public key
length is 4096, the corresponding ID is 6ADE4A56.

Figure 4-11 Public key details

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 26

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 4 Gpg4Win (Windows)

Step 3 Copy the public key information to a TXT file and name it as KEYS.txt. If the public key
length is 4096, save it as a KEYS4096.txt file.
----End

4.2.3 Importing the Public Key

Step 1 Log in to the server that contains the software package to be verified as administrator and
enter the CLI.
Step 2 Run the following command to import the public key file. Set C:\Users\ to the actual path of
public key file KEYS.txt.
Step 3 Access the directory of the public key file KEYS.txt and run the following command.
gpg --import "C:\Users\KEYS.txt"
When sign data lenth is 4096, please select KEYS4096.txt for the public key file.

The following output is displayed for key length of 2048:

gpg: key 27A74824: public key "OpenPGP signature key for Huawei software (created
on 30th Dec,2013) <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

The following output is displayed for key length of 4096:

gpg: key 6ADE4A56: public key "OpenPGP signature key for Huawei software (created
on 15th Jun,2019) <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

In this command, two hyphens precede import.

Step 4 Run the following command to check the public key import result.
gpg --fingerprint

If the following output is displayed, the public key is successfully imported.

The following output is displayed for key length of 2048:

pub 2048R/27A74824 2013-12-30

Key fingerprint = B100 0AC3 8C41 525A 19BD C087 99AD 81DF 27A7 4824
uid OpenPGP signature key for Huawei software (created on 30th
Dec,2013) [email protected]

The following output is displayed for key length of 4096:

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 27

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 4 Gpg4Win (Windows)

pub 4096R/6ADE4A56 2019-06-15

Key fingerprint = E128 5E9D 7E7F 0DB0 A659 48AF FAAA 7A2E 6ADE 4A56
uid OpenPGP signature key for Huawei software (created on 15th Jun,2019)
<[email protected]>

In this command, two hyphens precede fingerprint.

----End

4.2.4 Verifying the Public Key

Step 1 In normal cases, to verify the OpenPGP public key, you need to check the ID, fingerprint, and
user ID of the public key with the entity that releases the public key. Information about the
OpenPGP public keys released by Huawei is shown as follows:
The following output is displayed for key length of 2048:
 Public key ID: 27A74824
 Key fingerprint: B100 0AC3 8C41 525A 19BD C087 99AD 81DF 27A7 4824
 User ID (uid): OpenPGP signature key for Huawei software (created on 30th Dec,2013)
[email protected]
The following output is displayed for key length of 4096:
 Public key ID: 6ADE4A56
 Key fingerprint: E128 5E9D 7E7F 0DB0 A659 48AF FAAA 7A2E 6ADE 4A56
 User ID (uid): OpenPGP signature key for Huawei software (created on 15th Jun,2019)
<[email protected]>

After verifying the preceding information, set the trust level for the key.
Step 2 Run the following command to set the trust level.
#gpg --edit-key " OpenPGP signature key for Huawei software (created on
30th Dec,2013) " trust
set the trust level as follows, If the public key length is 4096
#gpg --edit-key " OpenPGP signature key for Huawei software (created on
15th Jun,2019) " trust

The output resembles the following information. You need to enter 5 behind Your decision?
to indicate I trust ultimately and y behind you really want to set this key to ultimate trust?
(y/N).
gpg (GnuPG) 2.0.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 28

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 4 Gpg4Win (Windows)

gpg: checking the trustdb

gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 2048R/27A74824 created: 2013-12-30 expires: never usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). OpenPGP signature key for Huawei software (created on 30th
Dec,2013) <[email protected]>

pub 2048R/27A74824 created: 2013-12-30 expires: never usage: SC

trust: ultimate validity: ultimate
[ultimate] (1). OpenPGP signature key for Huawei software (created on 30th
Dec,2013) <[email protected]>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

1 = I don't know or won't say

2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub 2048R/27A74824 created: 2013-12-30 expires: never usage: CS

trust: ultimate validity: unknown
[ unknown] (1). OpenPGP signature key for Huawei software (created on 30th
Dec,2013) <[email protected]>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

In this command, two hyphens precede edit.

Step 3 Run the following command to quit.

quit

----End

4.3 Verifying the Signature

The signature file must be in the same path as that of the software package. In this example,
the signature file path is C:\\Users\. Run the following command to verify the signature.
gpg --verify "C:\Users\V100R001C041.zip.asc"

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 29

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 4 Gpg4Win (Windows)

The following output is displayed for key length of 2048:

gpg: Signature made Thu Jan 9 15:29:06 2014 CST using RSA key ID 27A74824
gpg: Good signature from "OpenPGP signature key for Huawei software (created on
30th Dec,2013) <[email protected]>"

RSA key ID in bold is the same as the public key ID. If no WARNING, public key expiry,
signature expiry, or public key revocation information is display, the signature is valid.
The following output is displayed for key length of 4096:
pgp: Signature made Mon Dec 30 12:16:07 2019 CST using RSA key ID 6ADE4A56

gpg: Good signature from "OpenPGP signature key for Huawei software (created on 15th
Jun,2019) <[email protected]>"
RSA key ID in bold is 6ADE4A56, and there is no WARNING, which means this signature is
published by Huawei.

 If a version has multiple signature files to be verified, the version is considered secure only
when all the files pass the verification. If the verification result of a file is WARN or FAIL,
the version does not pass the verification and has security risks. In this case, try to solve
problem following the suggest action in table 4-1.
 In this command, two hyphens precede verify.

Table 4-1 Example for signature verification result judgment

Verification Output Example Verificati Suggest

Result on Result action
Scenario
Signature gpg: Signature made Thu Jan 9 15:29:06 PASS NA
verification 2014 CST using RSA key ID 27A74824
succeeds, with gpg: Good signature from "OpenPGP
no anomaly. signature key for Huawei software (created
on 30th Dec,2013)
<[email protected]>"
Signature gpg: Signature made Thu Jan 9 15:29:06 FAIL Download
verification 2014 CST using RSA key ID 27A74824 the
fails. gpg: BAD signature from "OpenPGP software
signature key for Huawei software (created package
on 30th Dec,2013) again, or
<[email protected]>" turn to
product
support
The public gpg: Signature made Thu Jan 9 15:20:01 FAIL Download
key is not 2014 CST using RSA key ID 27A74824 public key,
found. gpg: Can't check signature: public key not see:
found Obtaining
the Public
Key File

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 30

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 4 Gpg4Win (Windows)

Verification Output Example Verificati Suggest

Result on Result action
Scenario
Signature gpg: Signature made Thu Jan 9 15:29:06 WARNIN First check
verification 2014 CST using RSA key ID 27A74824 G if key ID is
succeeds, but gpg: Good signature from "OpenPGP 27A74824,
the public key signature key for Huawei software (created and set the
is not set to be on 30th Dec,2013) public key
completely <[email protected]>" to be fully
trusted. trusted,
gpg: WARNING: This key is not certified see:
with a trusted signature! Verifying
gpg: There is no indication that the Public
the signature belongs to the owner. Key
Primary key fingerprint: B100 0AC3 8C41
525A 19BD C087 99AD 81DF 27A7
4824
The gpg: no signed data FAIL Download
corresponding gpg: can't hash datafile: No data the
source file software
cannot be package
found. again, or
turn to
product
support
The signature gpg: Signature made 04/24/13 10:50:29 FAIL Download
has expired. CST using RSA key ID 133B64E5 the
gpg: Expired signature from " OpenPGP software
signature test key <[email protected]>" package
with
gpg: Signature expired 04/25/13 10:50:29 updated
CST signature,
or turn to
product
support
Signature gpg: Signature made 06/13/13 11:14:49 WARNIN Download
verification CST using RSA key ID 133B64E5 G the newest
succeeds, but gpg: Good signature from " OpenPGP public key
the public key signature test key <[email protected]>" and
is revoked. software
gpg: WARNING: This key has been package
revoked by its owner! with
gpg: This could mean that the updated
signature is forged. signature,
gpg: reason for revocation: Key is no or turn to
longer used product
support
gpg: revocation comment:

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 31

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 4 Gpg4Win (Windows)

Verification Output Example Verificati Suggest

Result on Result action
Scenario
The signature N/A WARNIN Download
file G signature
corresponding file of
to the source software
file cannot be package, or
found. turn to
product
support

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 32

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 5 PGPVerify (Windows&Linux)

5 PGPVerify (Windows&Linux)

To prevent threats to carrier networks caused by software tampering or damage in transit,

verify the integrity of software packages after receiving them. Only verified software
packages can be deployed.

5.1 Background
PGPVerify is a PGP simplified verification tool developed by Huawei. It runs on Windows 7,
Windows Server 2008, Windows 8, and Windows 10 platforms.
Software packages and signature files are stored in the same directory. A software package
corresponds to a verification file.
The signature files use the same file names as those used by software packages, with the file
name extension being .asc. For example, if the software package name is V100R001C04.zip,
the corresponding verification file name is V100R001C04.zip.asc.

5.2 Prerequisites
5.2.1 Obtaining PGPVerify
PGPVerify requires no installation. You can download it from the following websites.

http://support.huawei.com
Download PGPVerify from the following uniform resource locator (URL):
http://support.huawei.com/carrier/digitalSignatureAction
The target web page may be displayed in Chinese. Click English on the top of the web page
to switch the language to English.

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 33

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 5 PGPVerify (Windows&Linux)

Figure 5-1 Web page for downloading PGPVerify from http://support.huawei.com

To download PGPVerify, perform the following steps:

Step 1 Click Download to download the OpenPGP Signature Verification Guide ZIP package.
Then decompress it.
Step 2 Further decompress the VerificationTools.zip package.
Step 3 Open the decompressed folder VerificationTools and obtain the PGPVerify verification tool.
----End

http://support.huawei.com/enterprise
Download PGPVerify from the following uniform resource locator (URL):
http://support.huawei.com/enterprise/en/tool/software-digital-signature-validation-
tool-%EF%BC%88pgp-verify%EF%BC%89-TL1000000054
The target web page may be displayed in Chinese. First click the earth mark on the top of the
page, and then choose English to change the page’s language, finally you can download the
English document.

Figure 5-2 Web page for downloading PGPVerify from http://support.huawei.com/enterprise

To download PGPVerify, perform the following steps:

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 34

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 5 PGPVerify (Windows&Linux)

Step 1 Click the version number in the Version list.

Step 2 In the displayed page, click corresponding to VerificationTools.zip to download this

package.
Step 3 Decompress the VerificationTools.zip package and obtain the PGPVerify verification tool.
----End

Terminal Knowledge Base

Download PGPVerify from the terminal knowledge base at the following URL:
http://app.huawei.com/tkb/#!tservice/common/base/digit.html?resourceId=146680
To download PGPVerify, perform the following steps:
Step 1 Access http://app.huawei.com/tkb/#!tservice/common/base/digit.html?resourceId=146680.
Figure 5-3shows the displayed web page.

Figure 5-3 Web page for downloading PGPVerify from the terminal knowledge base

Step 2 Click Download to download the OpenPGP Signature Verification Guide.rar package.
If you have relevant permissions but an error is displayed, select the correct language.
Step 3 Decompress the downloaded OpenPGP Signature Verification Guide.rar package and
obtain the PGPVerify verification tool.
----End

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 35

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 5 PGPVerify (Windows&Linux)

5.2.2 Obtaining the Public Key File

Downloading the File from the Support Website
 URL at http://support.huawei.com/carrier
http://support.huawei.com/carrier/digitalSignatureAction
 URL at http://support.huawei.com/enterprise/
http://support.huawei.com/enterprise/en/tool/software-digital-signature-validation-
tool-%EF%BC%88pgp-verify%EF%BC%89-TL1000000054
 URL for downloading the terminal knowledge base
http://app.huawei.com/tkb/#!tservice/common/base/digit.html?resourceId=146680

The public key file is compressed in the same package as the verification tool. Therefore, the URL for
downloading the public key file is the same as that for downloading the verification tool. The public key
file is named KEYS.txt or KEYS4096.txt.

Obtaining from the Public Key Server

Step 1 Access the public key server.
https://zimmermann.mayfirst.org
The result is displayed, as shown in Figure 5-4.

Figure 5-4 Public key server address page

Enter " OpenPGP signature key for Huawei software "in the String text box, and click" Search
for a key" to search for the public key.

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 36

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 5 PGPVerify (Windows&Linux)

Figure 5-5 Public key search result

Step 2 Click public key ID 27A74842 to check the details, as shown in Figure 5-6. If the public key
length is 4096, the corresponding ID is 6ADE4A56.

Figure 5-6 Public key details

Step 3 Copy the public key information to a TXT file and name it as KEYS.txt. If the public key
length is 4096, save it as a KEYS4096.txt file.
----End

5.3 Verifying the Signature

The signature file must be in the same path as the software package. For example, if the
signature file is in C:\PGP, but the software package is in C:\, you must move the signature
file to C:\.

5.3.1 Verifying Through Operations on the UI

Step 1 Double-click PGPVerify.exe to start it, as shown in 错误!未找到引用源。.

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 37

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 5 PGPVerify (Windows&Linux)

Figure 5-7 PGPVerify

Step 2 Load the public key file.

Click Select Public Key to select the KEYS.txt file downloaded in section 5.2.2.

Figure 5-8 Loading the public key

when sign data lenth is 4096, please select KEYS4096.txt for the public key file.

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 38

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 5 PGPVerify (Windows&Linux)

If you have used this verification tool on the same computer before, the last key you selected
will be automatically reloaded when you use this tool once again.
Step 3 Verify files.
 Verifying a single file
Click Single Verify and select the .asc signature verification file.
 Verifying all files in the directory
Click Multiple Verify and select the C:\PGP\ directory. Figure 5-9 shows the
verification result.

Figure 5-9 PGPVerify verification result

Step 4 Check the result.

If an item is highlighted in yellow and the Results column is WARN, it indicates that the
signature cannot be verified.
If an item is highlighted in red and the Results column is FAIL, it indicates that the
verification failed.
If an item is highlighted in green and the Results column is PASS, it indicates that the
verification using the specified public key succeeded.
If an item is highlighted in green and the public key fingerprint in the Results column is
B1000AC3 8C41525A 19BDC087 99AD81DF 27A74824, it indicates that this signature is a
valid one issued by Huawei OpenPGP key length for 2048.
If an item is highlighted in green and the public key fingerprint in the Results column is
E128 5E9D 7E7F 0DB0 A659 48AF FAAA 7A2E 6ADE 4A56, it indicates that this
signature is a valid one issued by Huawei OpenPGP key length for 4096.

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 39

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 5 PGPVerify (Windows&Linux)

If a version has multiple signature files to be verified, the version is considered secure only
when all files are highlighted in green ([PASS]) and all public key fingerprints are B1000AC3
8C41525A 19BDC087 99AD81DF 27A74824（when OpenPGP key length is 4096，
fingerprints are E1285E9D7E7F0DB0A65948AFFAAA7A2E6ADE4A56）, which means
the signature is issued by Huawei. Otherwise, please obtain a new software package.

----End

5.3.2 Verification Through the CLI (Windows)

The signature file must be in the same path as the software package. For example, if the
signature file is in C:\PGP, but the software package is in C:\, you must move the signature
file to C:\.
Step 1 Verify files.
 Verifying a single file
Enter the CLI and run the following command to verify the signature:
"C:\PGPVerify.exe" -k "C:\KEYS.txt" -f "C:\PGP\Tecal CH224.zip.asc"

C:\KEYS.txt is the public key, and C:\PGP\Tecal CH224.zip.asc is the signature file. If sign
data lenth is 4096, please select KEYS4096.txt for the public key file.
The following output is displayed for key length of 2048:
[PASS]:Good Signature. File path: C:\PGP\Tecal CH224.zip.asc, Public key
fingerprint: B1000AC3 8C41525A 19BDC087 99AD81DF 27A74824
[INFO]: Verify Complete.

The following output is displayed for key length of 4096:

[PASS]:Good Signature. File path: C:\PGP\Tecal CH224.zip.asc, Public key
fingerprint: E1285E9D 7E7F0DB0 A65948AF FAAA7A2E 6ADE4A56
[INFO]: Verify Complete.
 Verifying all files in a directory
Enter the CLI and run the following command to verify the signatures:
"C:\PGPVerify.exe" -k "C:\KEYS.txt" -d "C:\PGP"

C:\KEYS.txt is the public key, and C:\PGP is the directory in which signature files will be
verified. If sign data lenth is 4096, please select KEYS4096.txt for the public key file.
The following output is displayed:
[INFO]:Filter file in directory, please wait...
[WARN]:Can't find signature file, signed file position: C:\PGP\Tecal CH221.zip.
[WARN]:Can't find signed file, signature file position: C:\PGP\Tecal
CH222.zip.asc.
[FAIL]:Invalid Signature. File path: C:\PGP\Tecal CH223.zip.
[PASS]:Good Signature. File path: C:\PGP\Tecal CH224.zip, Public key fingerprint:
B1000AC3 8C41525A 19BDC087 99AD81DF 27A74824

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 40

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 5 PGPVerify (Windows&Linux)

[INFO]: Verify Complete.

Step 2 Check the result.

If an item’s verification result is WARN, it indicates that the signature cannot be verified.
If an item’s verification result is FAIL, it indicates that the verification failed.
If an item’s verification result is PASS, it indicates that the verification using the specified
public key succeeded.
If an item’s verification result is PASS and the public key fingerprint is B1000AC3
8C41525A 19BDC087 99AD81DF 27A74824, it indicates that this signature is a valid one
issued by Huawei OpenPGP key length for 2048.
If an item’s verification result is PASS and the public key fingerprint is E128 5E9D 7E7F
0DB0 A659 48AF FAAA 7A2E 6ADE 4A56, it indicates that this signature is a valid one
issued by Huawei OpenPGP key length for 4096.

If a version has multiple signature files to be verified, the version is considered secure only
when all items’ verification results are all PASS and all public key fingerprints are B1000AC3
8C41525A 19BDC087 99AD81DF 27A74824（when OpenPGP key length is 4096，
fingerprints are E1285E9D7E7F0DB0A65948AFFAAA7A2E6ADE4A56）, which means
the signature is issued by Huawei. Otherwise, please obtain a new software package.

5.3.3 Verification Through the CLI (Linux)

Signature files must be stored in the same directory (/usr1 in this example) as the software
package. The verification tools and public key file can be stored in another directory or in the
same directory as the signature files. In this example, the verification tools and public key file
are also stored in usr1.
Step 1 Verify files.
 Verifying a single file

./PGPVerify -k KEYS.txt -f scw.cab.asc

KEYS.txt is the public key, and scw.cab.asc is the signature file. If sign data lenth is 4096,
please select KEYS4096.txt for the public key file.
The following output is displayed for key length of 2048:
[PASS]:Good Signature. File path: scw.cab.asc, Public key fingerprint: 97399A82
CD5D7160 13D181FC 0D7AC54D F0B00048.
[INFO]: Verify Complete.

The following output is displayed for key length of 4096:

[PASS]:Good Signature. File path: scw.cab.asc, Public key fingerprint: E1285E9D
7E7F0DB0 A65948AF FAAA7A2E 6ADE4A56
[INFO]: Verify Complete.

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 41

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 5 PGPVerify (Windows&Linux)

 Verifying all files in a directory

In this example, all signature files and the software package are stored in the openpgp
directory. To verify all files in this directory, run the following command:

./PGPVerify -k KEYS.txt -d openpgp

The following output is displayed:

[INFO]:Filter file in directory, please wait...
[PASS]:Good Signature. File path: openpgp/plugins-cloudtask-C01.zip.asc, Public
key fingerprint: FA60975B 1160DF6D 0059662D 2689E7E3 393905AC.
[PASS]:Good Signature. File path: openpgp/twain.dll.asc, Public key fingerprint:
FA60975B 1160DF6D 0059662D 2689E7E3 393905AC.
[PASS]:Good Signature. File path: openpgp/buildcloud-proxy.zip.asc, Public key
fingerprint: FA60975B 1160DF6D 0059662D 2689E7E3 393905AC.
[PASS]:Good Signature. File path: openpgp/buildcloud_pvmtrans.zip.asc, Public key
fingerprint: FA60975B 1160DF6D 0059662D 2689E7E3 393905AC.
[PASS]:Good Signature. File path: openpgp/plugins-cicloud-C01.zip.asc, Public key
fingerprint: FA60975B 1160DF6D 0059662D 2689E7E3 393905AC.
[PASS]:Good Signature. File path: openpgp/ConfigCenter.war.asc, Public key
fingerprint: FA60975B 1160DF6D 0059662D 2689E7E3 393905AC.
[PASS]:Good Signature. File path: openpgp/watcher-wrapper.zip.asc, Public key
fingerprint: FA60975B 1160DF6D 0059662D 2689E7E3 393905AC.
[PASS]:Good Signature. File path: openpgp/watcher.zip.asc, Public key fingerprint:
FA60975B 1160DF6D 0059662D 2689E7E3 393905AC.
[PASS]:Good Signature. File path: openpgp/rpm.war.asc, Public key fingerprint:
FA60975B 1160DF6D 0059662D 2689E7E3 393905AC.
[PASS]:Good Signature. File path: openpgp/buildcloud-rpm.zip.asc, Public key
fingerprint: FA60975B 1160DF6D 0059662D 2689E7E3 393905AC.
[INFO]: Verify Complete.

Step 2 Check the result.

If an item’s verification result is WARN, it indicates that the signature cannot be verified.
If an item’s verification result is FAIL, it indicates that the verification failed.
If an item’s verification result is PASS, it indicates that the specified public key passed the
verification.
If an item’s verification result is PASS and the public key fingerprint is B1000AC3
8C41525A 19BDC087 99AD81DF 27A74824, it indicates that this signature is a valid one
issued by Huawei OpenPGP key length for 2048.
If an item’s verification result is PASS and the public key fingerprint is E128 5E9D 7E7F
0DB0 A659 48AF FAAA 7A2E 6ADE 4A56, it indicates that this signature is a valid one
issued by Huawei OpenPGP key length for 4096.

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 42

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 5 PGPVerify (Windows&Linux)

1. If a version has multiple signature files to be verified, the version is considered secure only
when all items’ verification results are PASS and all public key fingerprints are B1000AC3
8C41525A 19BDC087 99AD81DF 27A74824（when OpenPGP key length is 4096，
fingerprints are E1285E9D7E7F0DB0A65948AFFAAA7A2E6ADE4A56）, which means
the signature is issued by Huawei. Otherwise, please obtain a new software package.
2. If the verify result is “Permission denied” in step 1, please add execution attribute to file by
executing “chmod u+x PGPVerify” first.

--End

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 43

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 6 FAQs

6 FAQs

6.1 The Application Scope for use Verification Tool?

PGPVerify tool is a simple signature verify tool published by Huawei Technologies Co.,Ltd.
It’s can only be used to verify integrity of binary packages, which published by Huawei, by
hand. It SHOULD NOT be repacked or republished with any commercial products; Besides,
according to positioning of PGPVerify tool, it will not accessing to users’ network or data.

6.2 How to Obtain version of Verification Tool?

 With UI mode(suitable for Windows®)

1. Right click title bar of tool window, and click “About” menu.

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 44

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 6 FAQs

2. Check version of application:

 Console mode (suitable for Windows® and Linux)

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 45

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 6 FAQs

1. Input command line:

PGPVerify -h
2. Take “Windows console” for example, show result as below(for version
V100R001C00SPC310):

PGPVerify library version V100R001C00SPC310

Copyright (c) Huawei Technologies Co., Ltd. 2017. All rights reserved.

Command:
-k: public key.
-d: The directory which to be verified.
-f: The file which to be verified.
-l: Set log file.

Example:
PGPVerify -k KEYS -d file-directory
PGPVerify -k KEYS -f signed-file

The message in first line contains the version info.

 Obtain the version by PowerShell (For Windows® only)

1. Input command line:

((.\PGPVerify.exe -h | findstr " V100" | Out-String).split(" ") | findstr
V100).remove(0,1).replace("SPC", ".").replace("C",".").replace("R",".")

Attention: The string “V100” is fixed for the version, and it won’t change for releases in
feature, so just use it as a version keyword here.
2. Show result as below (task V100R001C00SPC310 for example):
100.001.00.310

6.3 How to Obtain an .asc File?

This section uses http://support.huawei.com/carrier as an example to describe how to obtain
the .asc file for the specific product software.
As shown in Figure 6-1 the Software Name column lists the software. Click yellow envelope
button corresponding to a software package to download the .asc signature file for the
software package.

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 46

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 6 FAQs

Figure 6-1 Web page for downloading the .asc file from http://support.huawei.com/carrier

6.4 How to Obtain the Public Key or Verification Tools?

 Download the public key file or verification tools from the following URL at
http://support.huawei.com/carrier:
http://support.huawei.com/carrier/digitalSignatureAction
The target web page may be displayed in Chinese. Click English on the top of the web
page to switch the language to English, as shown in Figure 6-2.
Download and decompress the OpenPGP Signature Verification Guide package. The
KEYS.txt or KEYS4096.txt file is the public key file. The VerificationTools.zip
package contains two signature verification tools: PGPVerify and Gpg4Win. You can
decompress VerificationTools.zip to obtain either tool.

Figure 6-2 Web page (in Chinese) for downloading the public key file or verification tools from
http://support.huawei.com

 Download the public key file or verification tools from the following URL at
http://support.huawei.com/enterprise:
http://support.huawei.com/enterprise/en/tool/software-digital-signature-validation-
tool-%EF%BC%88pgp-verify%EF%BC%89-TL1000000054

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 47

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 6 FAQs

The target web page may be displayed in Chinese. Click Worldwide on the top of the
web page to switch the language to English, as shown in Figure 6-3.
Click the version number in the Version list. Then click corresponding to the public
key file KEYS.txt or KEYS4096.txt to download the file. Download and decompress
VerificationTools.zip to obtain either of the signature verification tools PGPVerify and
Gpg4Win.

Figure 6-3 Web page (in Chinese) for downloading the public key file or verification tools from
http://support.huawei.com/enterprise

 Download the public key file or verification tools from the terminal knowledge base at
the following URL:
http://app.huawei.com/tkb/#!tservice/common/base/digit.html?resourceId=146680
To download the public key file or verification tools from the terminal knowledge base,
perform the following steps:
Step 1 Access http://app.huawei.com/tkb/#!tservice/common/base/digit.html?resourceId=146680.
Figure 6-4 shows the displayed web page.

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 48

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 6 FAQs

Figure 6-4 Web page for downloading the public key file or verification tools from the terminal
knowledge base

Step 2 Click Download to download the OpenPGP Signature Verification Guide.rar package.
If you have relevant permissions but an error is displayed, select the correct language.
Step 3 Decompress the downloaded OpenPGP Signature Verification Guide.rar package.
 The KEYS.txt or KEYS4096.txt file is the public key file.
 VerificationTools.zip contains the verification tools. You can decompress the package to
obtain the Gpg4Win and PGPVerify verification tools.
----End

6.5 How Is Signature Verification Implemented?

Signature verification is implemented as follows:
 This document provides three OpenPGP signature verification methods. In all these
methods, the files to be verified must have been signed using OpenPGP signatures, and
verification is performed on the basis of an .asc file.
 The public key file and signature verification tools are stored in the same path.

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 49

Copyright © Huawei Technologies Co., Ltd.
OpenPGP
Signature Verification Guide 6 FAQs

6.6 How to Switch the Language of a Web Page from

Chinese to English?
If any of the web pages at the given URLs is displayed in Chinese, click English on the top of
the web page to switch the language to English.

6.7 How to Rectify the Failure in Long Path Verification

Using the PGPVerify.exe Command?
 If the failed path is a local path, for example, D:\testfile.txt:
Add \\?\ before the path name as follows:
\\?\D:\testfile.txt
Original command:
PGPVerify.exe -k D:\KEYS.txt -f D:\testfile.txt

New command:
PGPVerify.exe -k \\?\D:\KEYS.txt -f \\?\D:\testfile.txt

 If the failed path is a network path, for example, \\10.172.12.12\sharedir\testfile.txt:

Add \\?\UNC\ before the path name as follows:
\\?\UNC\10.172.12.12\sharedir\testfile.txt
Original command:
PGPVerify -k \\10.172.12.12\sharedir\KEYS.txt -f
\\10.172.12.12\sharedir\testfile.txt

New command:
PGPVerify -k \\?\UNC\10.172.12.12\sharedir\KEYS.txt -f
\\?\UNC\10.172.12.12\sharedir\testfile.txt

6.8 How to Obtain and Use the PGPVerify (Solaris/Linux)

Tool?
 The path for downloading the PGPVerify (Solaris/Linux) tool and the method for
obtaining the public key are the same as those for the PGPVerify (Windows) tool.
 The PGPVerify (Solaris/Linux) tool supports only signature verification using commands
but does not support interface-based signature verification. The signature verification
using commands is the same as that of the PGPVerify (Windows) tool.

Issue 03 (2020-02-29) Huawei Proprietary and Confidential 50

Copyright © Huawei Technologies Co., Ltd.