Integrity Check

Operations

Check the integrity of the downloaded SDK installation package, that is, check whether the package was tampered with or packets were lost during download.

Verifying a Digital Signature CMS File

Download the SDK installation package to the local PC. See SDK Installation Package Download.
Download the root CA certificate and four certificate revocation lists (CRLs) from Huawei support.
File names:
- CA certificate: Huawei Software Integrity Protection Root CA.der
- CRLs: HuaweiRootCA.crl, HuaweiCodeSigningCA.crl, HuaweiCodeSigningCA 2.crl, and HuaweiCodeSigningCA 3.crl

Convert the formats of the CA certificate and CRLs from DER to PEM.

For CRLs:

openssl crl -inform DER -in "HuaweiRootCA.crl" -out HuaweiRootCaCrl.pem
openssl crl -inform DER -in "HuaweiCodeSigningCA 3.crl" -out HuaweiCodeSigningCA3.pem
openssl crl -inform DER -in "HuaweiCodeSigningCA 2.crl" -out HuaweiCodeSigningCA2.pem
openssl crl -inform DER -in HuaweiCodeSigningCA.crl -out HuaweiCodeSigningCA.pem

For the CA certificate:

openssl x509 -inform DER -in "Huawei Software Integrity Protection Root CA.der" -out HuaweiRootCA.pem

Use Notepad to open the following four files. Copy and paste the content of these four files to the end of the content of HuaweiRootCA.pem:
- HuaweiRootCaCrl.pem
- HuaweiCodeSigningCA3.pem
- HuaweiCodeSigningCA2.pem
- HuaweiCodeSigningCA.pem

Verify the CMS signature:

openssl cms -verify -inform DER -crl_check_all -in hmwsdk-win-demo-win32.zip.cms -content hmwsdk-win-demo-win32.zip -CAfile HuaweiRootCA.pem -out cmsVerifiedData -binary -purpose any -certsout tmpCertChain.pem

If a message similar to the following is displayed, the verification is successful: