Digital Signatures

 
More4apps utilizes digital signatures to ensure the software provided is verified, secure and safe to use.
 
BI Reports provided by More4apps can be optionally verified using a public key with detached digital signatures. This allows users to check the integrity of the reports before importing them into their ERP Cloud instances.
 
The zip file contains two sets of BI reports, one to be installed on each ERP Cloud instance (*.xdrz) and one digitally signed (*.sig) to be used to compare to the reports to be installed.
 
If the content in the *.xdrz files differs to the digitally signed content in the *.sig files a bad content message will be displayed.  If this occurs you should not install the *xdrz BI Reports and instead contact More4apps for assistance.
 
To verify BI reports, a PGP tool, for example GNUPG and Command Line Input (CLI) is required.
 
Import the Public Key
 
The More4apps public key must be imported to be able to verify BI report signatures.  Open a Command Line window and type, or use copy and paste, the entire string below:
 
gpg --recv-keys 5D8B6113F5099742
 
The *.sig BI reports that were provided in the installation zip file can now be verified.
 
When using an untrusted certificate to verify signatures, a warning may appear:
 
gpg: Good signature from "More4Apps (More4Apps key for Digital Certificates) <xxx@more4apps.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
 
The following steps will set the trust of the More4apps certificate to prevent the warning from occurring.
 
·       Only set the trust of the More4apps certificate to ultimate after verifying the fingerprint of the installed key.
 
To verify the certificate fingerprint, run the command ‘gpg --list-keys’ and verify that the More4apps fingerprint matches the below:
 
1D8A523E3FCB060800FC17065D8B6113F5099742
 
To set the trust level of the More4apps certificate to ultimate, perform the steps below:
 
1.    Edit the More4apps key:
 
 
gpg --edit-key More4Apps
[ unknown] (1). More4Apps (More4Apps key for Digital Certificates) <xxx@more4apps.com>
 
2.    Run the trust command on the key:
 
 
trust
[ unknown] (1). More4Apps (More4Apps key for Digital Certificates) <xxx@more4apps.com
 
3.    Set the trust level to ‘5’ and verify with the ‘Y’ command:
 
Please decide how far you trust this user to correctly
verify other users' keys (by looking at passports,
checking fingerprints from different sources...)?
 
 1 = Don't know
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
 
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
               
[ unknown] (1). More4Apps (More4Apps key for Digital Certificates) <xxx@more4apps.com>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
 
4.    Use the quit command to exit key editing:
 
quit
 
 
Compare BI Report File Folders
 
Open a command line window and type gpg --verify, then specify the signature file name and corresponding xdrz file name as per below:
 
gpg --verify common.xdrz.sig common.xdrz
 
gpg --verify procurement.xdrz.sig procurement.xdrz
 
If the files haven’t been tampered with you will receive information similar to below:
 
gpg: Signature made 10/03/2021 8:49:13 am New Zealand Daylight Time
gpg:                using RSA key 1D8A523E3FCB060800FC17065D8B6113F5099742
gpg: Good signature from "More4Apps (More4Apps key for Digital Certificates) <xxx@more4apps.com>" [ultimate]
 
For more information on this please refer to: Validating other keys on your public keyring.
 
Definitions
 
PGP
“Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications.” PGP implements the IETF standard RFC4880. PGP is used by More4apps to create detached digital signatures to sign files without modifying the original file.”
 
CLI
Command Line Input, a command line program that accepts text input to execute operating system functions.
 
GNUPG
GNU Privacy Guard uses the PGP standard to encrypt and decrypt data. GnuPG is interoperable with other solutions that implement the PGP standard. GnuPG is widely used to create detached digital certificates and the most widely used email communication encryption standard.
 
To continue installing the BI reports, navigate to the BI Report Installation section.