Verifying Signatures on ISC Software and Packages

This document details how to verify the digital signatures ISC applies to software packages so that our customers can successfully validate them.

1. Windows

  • Windows packages and binaries are signed using standard Microsoft tooling. Signatures can be verified in the following ways:
  • In Windows PowerShell run: Get-AuthenticodeSignature file.exe
  • In Windows File Explorer:
    • Right click on the file to verify
    • Select Properties
    • Select the Digital Signatures tab
    • Select the item in the list and click the Details button
    • Verify the Digital Signature Details dialog states The digital signature is OK.
  • Obtain Sigcheck from Microsoft (https://learn.microsoft.com/en-us/sysinternals/downloads/sigcheck) and run: sigcheck -h file.exe

2. Red Hat Enterprise Linux (RHEL) and its Derivatives (CentOS, Rocky, etc.)

Binary files and tar/gzip packages are signed using evmctl.This type of signature is identified by the presence of a .sig file with the same root name as the signed object. RPM packages are signed using rpmsign which are embedded in the .rpm file. Signatures can be verified as follows. Each delivery package includes the ISC certificate and GPG public key needed to verify the signed files.

2.1 Verify the ISC certificate to a trust anchor

The certificate used to sign the files and its issuing chain are included with the package.
The easiest thing is to validate the certificate on Windows by:

  • Opening the file (double click on it in File Explorer); note renaming it from .pem to .cer will ensure that the same file used in section 2.2 is being checked on Windows.
  • Switching to the Certificate Path tab
  • Verifying it says This certificate is OK. under Certificate status:.

If Windows is not available, the following steps will validate the certificate and check that it is not revoked (but not that the issuers are not revoked):

  • Convert the PKCS#7 (.p7b) certificate path into a PEM encoded file of certificates for use by OpenSSL by running: openssl pkcs7 -print_certs -in ISCCodeSigning2026.p7b -inform DER > trust.pem
  • Extract the CRL URL from the code signing certificate by running: openssl x509 -noout -text -in ISCCodeSigning2026.pem | grep -A 4 ‘X509v3 CRL’
  • Download the CRL by running: wget -O crl.der http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl
  • Convert the CRL into a PEM encoded file for use by OpenSSL by running: openssl crl -inform DER -in crl.der -outform PEM -out crl.pem
  • Add the CRL to the file containing the certificate path by running: cat crl.pem >> trust.pem
  • Verify the certificate path and ensure the code signing certificate hasn’t been revoked by running: openssl verify -verbose -crl_check -CAfile trust.pem ISCCodeSigning2026.pem

Verifying files with accompanying .sig files

Once the certificate is verified and trusted files with an associated .sig file can be validated. This requires the ima-evm-utils package. To install it run: sudo yum install ima-evm-utils

To verify a signature run: evmctl -v ima_verify –key ISCSigningCert.der –sigfile file.so

Replacing ISCSigningCert.der with the DER-encoded certificate included with the package.

Verifying .rpm files

RPM files are signed with GPG keys. ISC has converted the code signing certificate used into a GPG key pair. To verify the GPG key matches that of the certificate whose trust was established in section 2.1, the public key in the GPG key must be compared to the public key in the certificate. If they match, there is some assurance that the GPG key is the key ISC uses for code signing. The dispgpgpub utility should be included in the package. If it is not it may be obtained from https://github.com/infoseccorp/dispgpgpub/tree/main.
To verify the signature on a .rpm file follow these steps:

  • Extract the gpg public key modulus from the certificate using dispgpgpub and compare it to the public key modulus extracted from the certificate using openssl.
    • Make sure OpenSSL and dispgpgpub are available
    • diff <(./dispgpgpub ISCCodesign2026_pub.gpg) <(openssl x509 -pubkey -noout -in ISCCodeSigning2026.pem | openssl pkey -pubin -pubout | openssl rsa -modulus -pubin -noout)
  • If they match:
    • Import the gpg public key into RPM by running: rpm –import isc-gpg-pub-key.gpg
    • Verify the signature by running: rpm -v –checksig xyz.rpm