NXLog search
Let's talk Start free
Let's talk Start free

NXLog Legacy Documentation

NXLog digital signature verification

ee badge NXLog Enterprise Edition exclusive feature

Security regulations for organizations may require verifying the identity of software sources and the integrity of the software obtained from those sources. To facilitate such regulation compliance and to guarantee the authenticity and integrity of downloaded installer files, NXLog installer packages are digitally signed.

In some cases, like with RPM packages, a public key is required to verify the digital signature. You can download the public PGP key from NXLog’s public repository.

Table 1. NXLog public keys and checksums
NXLog version File SHA2 checksum

5.0 - 5.2

nxlog-pubkey-20200219-20210410.asc

9354D2051DA9E40E

5.3 - 5.10
6.0 - 6.3

nxlog-pubkey-20210410-20241009.asc

67783185632CF6DB

5.11 and newer
6.4 and newer

nxlog-pubkey.asc

8255050E24C3F75D

Signature verification for DEB packages

The verification of the NXLog DEB packages requires the debsig-verify package to be installed.

For simplicity, this section explains how to verify NXLog packages using a shell script from the NXLog contrib repository.

The details of the verification process without the script application can be found in the HOWTO: GPG sign and verify deb packages and APT repositories section of the Packagecloud website.

  1. To install debsig-verify, run the following command:

    # apt install debsig-verify

  2. Download the contents of the deb-verify directory from the NXLog contrib repository.

  3. Run the deb-verify script with the path to the NXLog deb-package as its parameter. For example, it may be the following command:

    # ./deb-verify ../nxlog-4.8.4835_ubuntu20_amd64.deb

  4. The script output should look similar to this:

    Verified package from 'Nxlog package' (Nxlog)

Signature verification for RPM packages

The procedure is the same for SUSE Linux Enterprise Server, Red Hat Enterprise Linux, and CentOS. However, there is a slight difference in the output messages as noted below.

This example uses the generic RPM package. Change the name of the package to match the package used in your environment.

  1. Import the downloaded NXLog public key into the RPM with the following command:

    # rpm --import nxlog-pubkey.asc

  2. Verify the package signature with the imported public key using the following command:

    # rpm --checksig nxlog-{productVersion}_generic_rpm_x86_64.rpm.

  3. The output should look similar to the following examples.

    On SUSE Linux Enterprise Server:

    nxlog-{productVersion}_generic_rpm_x86_64.rpm: digests signatures OK

    On Red Hat Enterprise Linux and CentOS:

    nxlog-{productVersion}_generic_rpm_x86_64.rpm: rsa sha1 (md5) pgp md5 OK

Signature verification for Windows

To verify the installer package for Windows before installing, follow these steps:

  1. Right-click the downloaded installer file, then select Properties.

  2. Select the Digital Signatures tab.

    NXLog is displayed as a signer for the installer. The algorithm used for the signature and the timestamp is also visible.

  3. In the Signature list, select NXLog, then click Details to display additional information about the signature.

    In the General tab, the signer information and countersignatures are displayed. Click on View Certificate to display the certificate or select the Advanced tab to display signature details.

Signature verification on macOS

To verify the installer package for macOS before installing, follow these steps:

  1. Double-click the installer package.

  2. Click on the padlock icon in the upper-right corner of the installer window to display information about the certificate.

    For valid packages a green tick is displayed, indicating the validity of the certificate.

  3. Click on the triangle next to Details to display additional information about the certificate.