Before you use PDS
Verifying a Release
BEFORE using PDS, it is important that you verify that the application you have is a TRUSTED release. This section will demonstrate how to verify your copy of PDS.
The core of the PDS application is contained within an executable Java ARchive (JAR) file. The jar file is packaged with a few other files into a compressed Zip file (.zip) or tarball (.tgz), depending upon which release you downloaded. To verify that your copy of PDS is a trusted release, you will need to verify the authenticity jar file. The instructions below to verify the jar file require both the "keytool" and "jarsigner" commands, which are shipped with a JDK but not with a JRE. The JDK can be deleted after verification as PDS requires only the JRE.
To verify PDS, please perform the following steps.
1. Extract the contents of the release as if you were going to run the application.
2. Locate the file named pds.jar within the extracted files. This is the part of the application to verify.
3. Using the unzip and keytool commands, verify that the certificate fingerprints match those shown below:
Owner: CN=PDS Software Solutions LLC, OU=PDS2, O=, L=, ST=Colorado, C=US Issuer: CN=PDS Software Solutions LLC, OU=PDS2, O=, L=, ST=Colorado, C=US Serial number: 57ad3b99 Valid from: Thu Aug 11 20:59:37 MDT 2016 until: Sun Aug 09 20:59:37 MDT 2026 Certificate fingerprints: MD5: 94:D5:FC:00:F4:2B:EE:DE:3C:2C:E5:84:94:E3:1D:44 SHA1: 86:3D:19:25:BE:92:FE:2B:54:A4:35:F2:69:37:78:4C:B9:44:23:0E Signature algorithm name: SHA1withRSA Version: 3
On Linux, run:
$ unzip -p pds.jar META-INF/PDS2KEY.RSA | keytool -printcert
On Mac, run:
$ unzip -p PDS2.app/Contents/Resources/Java/pds.jar META-INF/PDS2KEY.RSA | keytool -printcert
On Windows, the example uses two (2) commands, the first of which comes from 7-Zip.
C:\> 7z.exe p pds.jar META-INF/PDS2KEY.RSA C:\> keytool -printcert -file PDS2KEY.RSA
4. Next, using the jarsigner command, verify that all of the PDS files in the jar have been signed by the key referenced by the certificate above. You only need to run one (1) of these commands:
$ jarsigner -verify pds.jar jar verified. -OR- $ jarsigner -verify -verbose pds.jar ... ... About 250 lines, but what you're looking for is below... jar verified. -OR- $ jarsigner -verify -verbose -certs pds.jar ... ... About 1000 lines, and once again, what you're looking for is below... jar verified.
5. Optional / Extra Credit:
For those that wish to see the PDS source code, Java makes it easy. Simply download jd-gui from http://jd.benow.ca/