NXLog digital signature verification

Security regulations for organizations may require verifying the identity of software sources as well as the integrity of the software obtained from those software sources. In order to facilitate such regulation compliance, and to guarantee the authenticity and integrity of downloaded installer files, NXLog installer packages are digitally signed.

In some cases, like with RPM packages, a public key is required to verify the digital signature. For this, the Public PGP Key can be downloaded from NXLog’s public contrib repository.

Signature verification for DEB packages

The verification of the NXLog DEB packages requires the debsig-verify package to be installed.

For simplicity, this section explains how to verify NXLog packages using a shell script from the NXLog contrib repository.

The details of the verification process without the script application can be found in the HOWTO: GPG sign and verify deb packages and APT repositories section of the Packagecloud website.

  1. To install debsig-verify, run the following command:

    # apt install debsig-verify
  2. Download the contents of the deb-verify directory from the NXLog contrib repository.

  3. Run the deb-verify script with the path to the NXLog deb-package as its parameter. For example, it may be the following command:

    # ./deb-verify ../nxlog-4.8.4835_ubuntu20_amd64.deb
  4. The script output should look similar to this:

    Verified package from 'Nxlog package' (Nxlog)

Signature verification for RPM packages

The procedure is the same for SUSE Linux Enterprise Server, Red Hat Enterprise Linux, and CentOS. However, there is a slight difference in the output messages as noted below.

This example uses the generic RPM package. Change the name of the package to match the package used in your environment.
  1. Import the downloaded NXLog public key into the RPM with the following command:

    # rpm --import nxlog-pubkey.asc
  2. Verify the package signature with the imported public key using the following command:

    # rpm --checksig nxlog-{productVersion}_generic_rpm_x86_64.rpm.
  3. The output should look similar to the following examples.

    On SUSE Linux Enterprise Server:

    nxlog-{productVersion}_generic_rpm_x86_64.rpm: digests signatures OK

    On Red Hat Enterprise Linux and CentOS:

    nxlog-{productVersion}_generic_rpm_x86_64.rpm: rsa sha1 (md5) pgp md5 OK

Signature verification for Windows

To verify the installer package for Windows before installing, follow these steps:

  1. Right-click the downloaded installer file, then select Properties.

  2. Select the Digital Signatures tab.

    NXLog is displayed as a signer for the installer. The algorithm used for the signature and the timestamp is also visible.

  3. In the Signature list, select NXLog, then click Details to display additional information about the signature.

    In the General tab, the signer information and countersignatures are displayed. Click on View Certificate to display the certificate or select the Advanced tab to display signature details.

Signature verification on macOS

To verify the installer package for macOS before installing, follow these steps:

  1. Double-click the installer package.

  2. Click on the padlock icon in the upper-right corner of the installer window to display information about the certificate.

    For valid packages a green tick is displayed, indicating the validity of the certificate.

  3. Click on the triangle next to Details to display additional information about the certificate.