How to verify the authenticity of layer7 patch files
Article ID: 410354
Updated On:
Products
Issue/Introduction
Is there any checking of hash values/signatures before layer7 patch installation (.L7P) files?
How does a similar integrity check works/, or should it work in case container image-based installation?
Environment
All supported versions of the API Gateway
Resolution
L7P patches do not apply to the container form factor. Instead, we will provide a patched image.
Our patch management verifies the integrity of the L7P patches. Because all the patches from us are signed, any unauthorized changes can be detected well before installation.
We do publish SHA256 values for the patches, and they are available in the solution patches page: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/release-announcements/CA-API-Gateway-Solutions--Patches/3024
We do not have any tools to verify the signature of patches.
Customers can calculate the digest of patches and verify it against the published digest values.
Feedback
