This document describes the steps for an eAIP end-user to verify a signed eAIP package sent by an eAIP producer. The steps are:
See also eAIP Security Considerations in the eAIP Specification.
The eAIP Signature Checker is provided by EUROCONTROL and is part of the full eAIP package (in the tools\Security\SigCheck directory), available on the eAIP Web site. It is also available as a separate download package; in this case, download this package and unpack it in the [eAIP package directory]\tools\Security\SigCheck directory.
The steps described here are to be repeated for each eAIP producer which provides you with signed eAIP packages.
Contact the eAIP producer. Depending if the eAIP producer uses x509 or PGP, they will provide you with:
For x509: the certificate of the CA and its associated fingerprint. The filename should be in the following form: Certificate.crt
For PGP: the public key of the signing PGP key and its associated fingerprint. The filename should be in the following form: 0x12345678.asc
Then, import the certificate or public key, as explained below for x509, and for PGP.
Copy the file received from producer in the directory [eAIP package directory]\tools\Security\SigCheck\x509\Certificates
Open a command prompt and change to the installation directory by typing cd [path to eAIP package directory]\tools\Security\SigCheck.
Type the following command: sigcheck -x509 -import
Check that the fingerprint displayed is the same than the one communicated to you by the eAIP producer. If they don't match, delete the file mentioned by the program and contact the eAIP producer.
If they match, the keys are now imported. You can check the signature of eAIP packages sent by this eAIP producer.
Copy the file received from producer in the directory: [eAIP package directory]\tools\Security\SigCheck\pgp\PublicKey
Open a command prompt and change to the installation directory by typing cd [path to eAIP package directory]\tools\Security\SigCheck.
Type the following command: sigcheck -pgp -import
You are prompted to verify the validity of the key by checking the key fingerprint. Check that it matches the one communicated by the eAIP producer.
If the fingerprints match, choose to trust the key ultimately. If not, choose not to trust and contact the eAIP producer.
The keys are now imported. You can check the signature of eAIP packages sent by this eAIP producer.
The steps to check the signature and to strip the package are:
Ask the eAIP producer to send you a signed eAIP package. The file can be sent by email, downloaded from a website, received on a CD-ROM or any other digital transportation method.
Copy this file to the [eAIP package directory]\tools\Security\SigCheck directory.
Ask the eAIP producer if they use PGP or x509.
Open a command prompt and change to the installation directory by typing cd [path to eAIP package directory]\tools\Security\SigCheck.
Type the following command to check the validity of the signature:
sigcheck -pgp -check eaip-package.zip.pgp
Where eaip-package.zip.pgp is the name of the signed package received from the producer.
In case the signature check was successful, you can strip the signature from the eAIP package.
sigcheck -pgp -output eaip-package.zip.pgp
This will output the file eaip-package.zip in the current directory.