LoadMaster Code Signing Certificates and LTSF Releases
All LoadMaster releases and associated addon packages are digitally signed using XML-format signature files (a.k.a. 'detached signatures') that conform to the best practices defined by the World Wide Web Consortium (W3C) for XML Signature Syntax and Processing. The XML signature filenames include the filename of the downloaded installation package as a prefix with the extension .checksum.xml.
The digital signing process employs an X.509 code signing certificate that has an expiration date; when the certificate reaches its expiration date, signature validation using this certificate will fail. Therefore, vendors need to update this certificate occasionally so that verification of digital signatures will continue to work.
On 27 May 2022, the certificate used to sign LoadMaster release artifacts for LoadMaster LMOS version 7.2.56.x and prior releases expired.
All LoadMaster releases that occur after the above date (i.e., 18.104.22.168 and above) will be digitally signed using a newly obtained code signing certificate.
What Does This Mean To You?
If you're running an LMOS version earlier than 22.214.171.124 (when XML signature verification was introduced), then this will mean no change for you since your current LMOS version doesn't provide an option for checking XML signatures for upgrades and addons.
For LMOS versions after 126.96.36.199, verifying digital signatures for LMOS images and addon packages will continue to work if the image or addon package was signed with the new certificate. Therefore, you will be able to verify the XML signature in these scenarios:
- Updating 188.8.131.52 to 184.108.40.206 (or a later version).
- Updating 220.127.116.11 with a subsequent release on the 7.2.54.x branch.
- Updating 18.104.22.168 (or a later release on the 7.2.54.x branch) to 22.214.171.124 (or a later version)
Verifying XML signatures will not work if you attempt to update the system with any LMOS update image or addon package signed with the earlier, expired certificate. Therefore, XML signature verification will fail in these scenarios:
- Updating any LMOS release before 126.96.36.199 to 188.8.131.52 (or a later release on the 7.2.54.x branch).
In these cases, you will need to skip XML signature verification when installing the LMOS image or addon package. This can be done by navigating to System Configuration > Miscellaneous Options > WUI Settings and setting the Update Verification Options parameter to Optional. This allows you to skip XML verification when you install the image. Once the update is complete, XML verification for future upgrades can once again be set to Required (if desired).
The same restrictions outlined above apply to XML verification of add-on packages, which are also digitally signed.
Note that if you have FIPS mode enabled, you will not be able to change the Update Verification Options parameter, which is set to Required in FIPS mode. In this case, please contact Support for assistance.