Digital Signatures (Optional)

More4apps utilises digital signatures to ensure the software provided is verified, secure and safe to use. The servlet jar file and database package file provided by More4apps can be optionally verified using a public key with detached digital signatures. This allows you to check the integrity of the files before installing into your E-Business instance.

You can verify these files on the Windows OS before transferring them to your servers. To perform the verification a PGP tool, for example GNUPG is required.

Verification process:

Extract the Files

Extract the R12install.zip file to a local directory and open a Command window in this directory.

Import (Receive) the Public Key

The More4apps Public Key can be imported (received) with this command:

gpg --recv-keys 5D8B6113F5099742

Set the Trust Level for the Public Key

You must set the trust level for the More4apps Public Key with this command:

gpg --edit-key More4apps

Respond to the prompts as follows:

trust

quit

Verify the Files with the Public Key

The servlet file and package body file both come with an external signature file signed with our private key. You can verify that the files have not been tampered with by running the following commands:

gpg --verify m4aServlet.jar.sig m4aServlet.jar

gpg --verify M4APS_XML_R12.plbb.sig M4APS_XML_R12.plbb

A valid signature will have this output:

gpg: Signature made 12/03/2021 12:15:09 pm New Zealand Daylight Time

gpg: using RSA key 1D8A523E3FCB060800FC17065D8B6113F5099742

gpg: Good signature from "More4apps (More4apps key for Digital Certificates) <bevan.wheeler@more4apps.com>" [ultimate]

Please contact More4apps support if the signature cannot be verified.