The Rocket Software, Inc. extensions for Visual Studio Code listed below use PGP digital signatures to guarantee that the packages you are installing were created by Rocket Software, Inc. This readme guides you through the process of verifying these extensions on Windows and on Linux.
There are a number of open-source tools available for both Windows and Linux platforms which you can use to verify the marketplace extensions before you install them. This readmes uses Gpg4win for Windows and gnupgp for Linux.
This readme includes example instructions for both Windows (using Gpg4win) and Red Hat Linux (using gnupgp).
- Install the PGP tools:
- On Windows - download and install Gpg4win for Windows
- On Linux, install gnupg using yum from a terminal:
This adds the PGP tools to the PATH environment variable on your machine. On Windows, however, you might need to add the Gpg4win installation folder manually to the PATH as follows:
yum install –y gnupgset PATH=%PATH%;C:\Program Files (x86)\Gpg4win\bin
- Download the required extension file (
.vsix) from the Visual Studio Marketplace:
-
Note: We recommend that you always download and install the latest version of the extensions.
-
Select the release from this GitHub repository which matches the version of the extension(s) you have downloaded. Download the signature (
.asc) file for the selected release. -
Use the checksum listed on this repository to verify the downloaded
.vsixpackage.
-
On Windows:
sha256sum RocketSoftware.rocket-enterprise-2.0.0.vsix sha256sum RocketSoftware.rocket-cobol-2.0.0.vsix sha256sum RocketSoftware.rocket-learncobol-2.0.0.vsix sha256sum RocketSoftware.rocket-jvmcobol-2.0.0.vsix -
On Linux:
sha256sum ./RocketSoftware.rocket-enterprise-2.0.0.vsix sha256sum ./RocketSoftware.rocket-cobol-2.0.0.vsix sha256sum ./RocketSoftware.rocket-learncobol-2.0.0.vsix sha256sum ./RocketSoftware.rocket-jvmcobol-2.0.0.vsixImportant: If a generated checksum does not match the value listed for the same release on this repository, you need to download the package again and repeat the verification process.
Important: Version 2.0.x of the COBOL, JVM COBOL, Enterprise and Learn COBOL extensions are all signed with a Rocket Software public key.
Important: Versions 1.0.55 to 1.0.59 of the COBOL and Enterprise extensions, versions 1.0.11 to 1.0.13 of Learn COBOL extension and versions 1.0.2 to 1.0.3 of the JVM COBOL extension are all signed with an OpenText public key. Prior to this all extensions were signed with a Micro Focus public key. Details are provided below to describe how to verify with both the OpenText and Micro Focus public keys.
- Extract the public key from the
.vsixpackage. The.vsixpackage can be treated as a ZIP archive so you can use any archive utility such az 7-zip on Windows:
- On Windows:
"C:\Program Files\7-Zip\7z.exe" e RocketSoftware.rocket-cobol-2.0.0.vsix extension\Rocket.package-sign.pub - On Linux:
unzip RocketSoftware.rocket-cobol-2.0.0.vsix extension/Rocket.package-sign.pub
- To view the fingerprint of the exported public key, run the following command:
-
On Windows:
gpg --import --import-options show-only --dry-run Rocket.package-sign.pub -
On Linux:
gpg2 --import --import-options show-only --dry-run extension/Rocket.package-sign.pubThe expected output is in a format similar to the following where the asterisks indicate the fingerprint value:
pub rsa4096 2024-05-14 [SC] 4BCACD85F7618C855216DD8C56A5D1B5263069BE uid Rocket-package-sign (Rocket Software, Inc. Package signing - 20240514) <[email protected]>Important: To verify that the public key is correct, the fingerprint must match the following value:
Key fingerprint: 4BCA CD85 F761 8C85 5216 DD8C 56A5 D1B5 2630 69BE
You should only proceed with importing the public key into the local keystore if the key fingerprint matches this value.
- To import the public key into the local keystore:
- On Windows:
gpg --import Rocket.package-sign.pub - Linux:
gpg2 --import extension/Rocket.package-sign.pub
-
Once imported, you need to sign the key in your keystore with a private key.
This is required so that you can provide information to your local system that the signing certificate imported in this step has passed all the checks performed in the previous steps. If you do not provide this information, the system reports that the imported certificate is not trusted when you try to verify the
.vsixpackage.You need an existing private key to sign the key. Follow the prompts to sign the public key:
-
On Windows:
gpg --lsign-key "4BCA CD85 F761 8C85 5216 DD8C 56A5 D1B5 2630 69BE" -
On Linux:
gpg2 --lsign-key "4BCA CD85 F761 8C85 5216 DD8C 56A5 D1B5 2630 69BE"Important: If you receive the following output, it indicates that no private key exists. In this case you need to create a new private key and retry this step:
gpg: no default secret key: No secret key Key has not been changed, so no save is needed.
- To verify the
.vsixpackage using the signature file:
- On Windows:
gpg --verify RocketSoftware.rocket-cobol-2.0.0.vsix.asc RocketSoftware.rocket-cobol-2.0.0.vsix gpg --verify RocketSoftware.rocket-enterprise-2.0.0.vsix.asc RocketSoftware.rocket-enterprise-2.0.0.vsix gpg --verify RocketSoftware.rocket-learncobol-2.0.0.vsix.asc RocketSoftware.rocket-learncobol-2.0.0.vsix - On Linux:
The output from the verification must report a valid signature from Rocket Software, Inc.
gpg2 --verify RocketSoftware.rocket-cobol-2.0.0.vsix.asc RocketSoftware.rocket-cobol-2.0.0.vsix gpg2 --verify RocketSoftware.rocket-enterprise-2.0.0.vsix.asc RocketSoftware.rocket-enterprise-2.0.0.vsix gpg2 --verify RocketSoftware.rocket-learncobol-2.0.0.vsix.asc RocketSoftware.rocket-learncobol-2.0.0.vsix
- Extract the public key from the
.vsixpackage. The.vsixpackage can be treated as a ZIP archive so you can use any archive utility such az 7-zip on Windows:
- On Windows:
"C:\Program Files\7-Zip\7z.exe" e Micro-Focus-AMC.mfcobol-1.0.55.vsix extension\ot-package-sign.pub - On Linux:
unzip Micro-Focus-AMC.mfcobol-1.0.55.vsix extension/ot-package-sign.pub
- To view the fingerprint of the exported public key, run the following command:
-
On Windows:
gpg --import --import-options show-only --dry-run ot-package-sign.pub -
On Linux:
gpg2 --import --import-options show-only --dry-run extension/ot-package-sign.pubThe expected output is in a format similar to the following where the asterisks indicate the fingerprint value:
pub rsa4096 2023-04-20 [SC] **23DF1905A3DF04718BDFD1F5F8EEBBCDE08E4762** uid OT-package-sign (Open Text Corporation package signing certificate 20230420) <[email protected]>Important: To verify that the public key is correct, the fingerprint must match the following value:
Key fingerprint: 23DF 1905 A3DF 0471 8BDF D1F5 F8EE BBCD E08E 4762
You should only proceed with importing the public key into the local keystore if the key fingerprint matches this value.
- To import the public key into the local keystore:
- On Windows:
gpg --import ot-package-sign.pub - Linux:
gpg2 --import extension/ot-package-sign.pub
-
Once imported, you need to sign the key in your keystore with a private key.
This is required so that you can provide information to your local system that the signing certificate imported in this step has passed all the checks performed in the previous steps. If you do not provide this information, the system reports that the imported certificate is not trusted when you try to verify the
.vsixpackage.You need an existing private key to sign the key. Follow the prompts to sign the public key:
-
On Windows:
gpg --lsign-key "23DF 1905 A3DF 0471 8BDF D1F5 F8EE BBCD E08E 4762" -
On Linux:
gpg2 --lsign-key "23DF 1905 A3DF 0471 8BDF D1F5 F8EE BBCD E08E 4762"Important: If you receive the following output, it indicates that no private key exists. In this case you need to create a new private key and retry this step:
gpg: no default secret key: No secret key Key has not been changed, so no save is needed.
- To verify the
.vsixpackage using the signature file:
- On Windows:
gpg --verify Micro-Focus-AMC.mfcobol-1.0.55.vsix.asc Micro-Focus-AMC.mfcobol-1.0.55.vsix gpg --verify Micro-Focus-AMC.mfenterprise-1.0.55.vsix.asc Micro-Focus-AMC.mfenterprise-1.0.55.vsix gpg --verify Micro-Focus-AMC.learncobol-1.0.11.vsix.asc Micro-Focus-AMC.learncobol-1.0.11.vsix - On Linux:
The output from the verification must report a valid signature from Open Text Corporation.
gpg2 --verify Micro-Focus-AMC.mfcobol-1.0.55.vsix.asc Micro-Focus-AMC.mfcobol-1.0.55.vsix gpg2 --verify Micro-Focus-AMC.mfenterprise-1.0.55.vsix.asc Micro-Focus-AMC.mfenterprise-1.0.55.vsix gpg2 --verify Micro-Focus-AMC.learncobol-1.0.11.vsix.asc Micro-Focus-AMC.learncobol-1.0.11.vsix
- Extract the public key from the
.vsixpackage. The.vsixpackage can be treated as a ZIP archive so you can use any archive utility such az 7-zip on Windows:
- On Windows:
"C:\Program Files\7-Zip\7z.exe" e Micro-Focus-AMC.mfcobol-1.0.54.vsix extension\MicroFocusGPGPackageSign.pub - On Linux:
unzip Micro-Focus-AMC.mfcobol-1.0.54.vsix extension/MicroFocusGPGPackageSign.pub
- To view the fingerprint of the exported public key, run the following command:
-
On Windows:
gpg --import --import-options show-only --dry-run extension\MicroFocusGPGPackageSign.pub -
On Linux:
gpg2 --import --import-options show-only --dry-run extension/MicroFocusGPGPackageSign.pubThe expected output is in a format similar to the following where the asterisks indicate the fingerprint value:
pub rsa4096 2020-04-22 [SC] **A15D0CFFD6DF76C4C8473AFE3288E0D0786EC7C0** uid mf-master-sign (Micro Focus International package signing certificate 2020-04-22) <[email protected]>Important: To verify that the public key is correct, the fingerprint must match the following value:
Key fingerprint: A15D 0CFF D6DF 76C4 C847 3AFE 3288 E0D0 786E C7C0
You should only proceed with importing the public key into the local keystore if the key fingerprint matches this value.
- To import the public key into the local keystore:
- On Windows:
gpg --import extension\MicroFocusGPGPackageSign.pub - Linux:
gpg2 --import extension/MicroFocusGPGPackageSign.pub
-
Once imported, you need to sign the key in your keystore with a private key.
This is required so that you can provide information to your local system that the signing certificate imported in this step has passed all the checks performed in the previous steps. If you do not provide this information, the system reports that the imported certificate is not trusted when you try to verify the
.vsixpackage.You need an existing private key to sign the key. Follow the prompts to sign the public key:
-
On Windows:
gpg --lsign-key "A15D 0CFF D6DF 76C4 C847 3AFE 3288 E0D0 786E C7C0" -
On Linux:
gpg2 --lsign-key "A15D 0CFF D6DF 76C4 C847 3AFE 3288 E0D0 786E C7C0"Important: If you receive the following output, it indicates that no private key exists. In this case you need to create a new private key and retry this step:
gpg: no default secret key: No secret key Key has not been changed, so no save is needed.
- To verify the
.vsixpackage using the signature file:
- On Windows:
gpg --verify Micro-Focus-AMC.mfcobol-1.0.54.vsix.asc Micro-Focus-AMC.mfcobol-1.0.54.vsix gpg --verify Micro-Focus-AMC.mfenterprise-1.0.54.vsix.asc Micro-Focus-AMC.mfenterprise-1.0.54.vsix gpg --verify Micro-Focus-AMC.learncobol-1.0.10.vsix.asc Micro-Focus-AMC.learncobol-1.0.10.vsix - On Linux:
The output from the verification must report a valid signature from Micro Focus International.
gpg2 --verify Micro-Focus-AMC.mfcobol-1.0.54.vsix.asc Micro-Focus-AMC.mfcobol-1.0.54.vsix gpg2 --verify Micro-Focus-AMC.mfenterprise-1.0.54.vsix.asc Micro-Focus-AMC.mfenterprise-1.0.54.vsix gpg2 --verify Micro-Focus-AMC.learncobol-1.0.10.vsix.asc Micro-Focus-AMC.learncobol-1.0.10.vsix
- If the verification process reports an error, check the Common Issues below.
Issue:
Can't check signature: No public key
Resolution: Double-check that the public key has been imported into the local system.
Issue:
Invalid signature
Resolution:
- Double-check that the correct signature version is being used.
- Double-check the checksum of the downloaded .vsix package.
If the problem persists, visit the Community Forum or, if you have a maintenance contract for Rocket® Visual COBOL or Rocket®Enterprise Developer, contact Rocket Software Customer Care.