Verifying the Demo Package Integrity

Function

Check the integrity of downloaded demo packages, that is, check whether the packages are tampered with or packets are lost during download.

Starting from 100.12.5, the digital signature CMS file is used for integrity verification. In earlier versions, SHA-256 values are still used.

Verifying a Digital Signature CMS File

1. Obtain the download path of a package of the Android/Windows/macOS/Electron demo from Downloading Demo Installation Packages.

2. Download the demo package to your device.

3. Download the following root certificate authority (CA) certificate and certification revocation lists (CRLs) from the Huawei support website:

Root CA certificate: Huawei Software Integrity Protection Root CA.der

CRLs: HuaweiRootCA.crl, HuaweiCodeSigningCA.crl, HuaweiCodeSigningCA 2.crl, and HuaweiCodeSigningCA 3.crl

4. Convert the formats of the CA certificate and CRLs from DER to PEM.

For CRLs:

openssl crl -inform DER -in "HuaweiRootCA.crl" -out HuaweiRootCaCrl.pem

openssl crl -inform DER -in "HuaweiCodeSigningCA 3.crl" -out HuaweiCodeSigningCA3.pem

openssl crl -inform DER -in "HuaweiCodeSigningCA 2.crl" -out HuaweiCodeSigningCA2.pem

openssl crl -inform DER -in HuaweiCodeSigningCA.crl -out HuaweiCodeSigningCA.pem

For CA certificate:

openssl x509 -inform DER -in "Huawei Software Integrity Protection Root CA.der" -out HuaweiRootCA.pem

5. Use Notepad to open the files obtained in step 4. Copy and paste the content of HuaweiRootCaCrl.pem, HuaweiCodeSigningCA3.pem, HuaweiCodeSigningCA2.pem, and HuaweiCodeSigningCA.pem sequentially to the end of the content of HuaweiRootCA.pem.

6. Perform CMS verification.

openssl cms -verify -inform DER -crl_check_all -in hmwsdk-win-demo-win32.zip.cms -content hmwsdk-win-demo-win32.zip -CAfile HuaweiRootCA.pem -out cmsVerifiedData -binary -purpose any -certsout tmpCertChain.pem

If a message similar to the following is displayed, the verification is successful:

CMS Verification successful

Comparing SHA-256 Values

1. Obtain the download path of a package of the Android/Windows/macOS/Electron demo from Downloading Demo Installation Packages.

2. Download the demo package to your device.

3. Open the CLI and run the following command to generate the SHA-256 value of the downloaded demo package. In the command, D:\hmwsdk-win-demo-win32.zip indicates the local path for storing the package and the package name. Replace it with the actual value.

certutil -hashfile D:\hmwsdk-win-demo-win32.zip SHA256

The following is an example of the command output:

SHA256 D:\hmwsdk-win-demo-win32.zip hash:
67244236887ae862adbe2c8ee2f4612e5d483d0562087c7f084484318655d702 
CertUtil: -hashfile Command executed

Compare the generated SHA-256 value with that listed in the table of demo package download paths. If they are the same, no tampering or packet loss occurred during download.