ArcSDE stores authorization/license info in a table called
SDE_server_config. Use the template below to update this table when a new authorization is needed:
SET [char_prop_value] = 'arcsdeserver,101,ecp000000000,31-dec-2016,JA4JPCAZRA9DJLMAP105'
WHERE prop_name = 'AUTH_KEY'
The keycode above is fake. A real code can be found in the
keycodes file after you authorize ArcGIS Server. This file is typically in the
\\Program Files\ESRI\License<release#>\sysgen folder on Windows or
/arcgis/server/framework/runtime/.wine/drive_c/Program Files/ESRI/License<release#>/sysgen directory on Linux.
Let’s say you have downloaded an installer, and before you run it, you’d like to prove it was packaged by a developer you trust. It’s not enough to simply go to the app’s official download page… maybe their server was hacked, maybe someone is rerouting your Internet traffic… If you really want to verify the source of this installer, PGP’s web of trust will help: Provided you have the developer’s public key and no reason to think his corresponding private key is compromised, then you can authenticate the file as his.
Since KeePass is a program to store all your passwords, it’s an installer we ought to verify! I’ll use KeepPass as an example:
Here’s the official download page. The download buttons redirect to SourceForge – a popular file hosting service.
Now go to the file signatures page and download your file’s corresponding key. I’m going to install
KeePass-2.28-Setup.exe, so I downloaded
Take note of the developer’s public key. This is the public identity that will be embedded in files they sign. For KeePass, the developer’s name is ‘
Dominik Reichl‘ and his key fingerprint is ‘
2171 BEEA D0DD 92A1 8065 5626 DCCA A5B3 FEB7 C7BC‘.
His key looks like this:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.7 (MingW32)
[ blah blah blah blah ]
-----END PGP PUBLIC KEY BLOCK-----
… without the ‘blah blah blah’, of course!
Here we assume that anything signed by this key was signed by the man Dominik Reichl whom we trust for KeePass installers. If that’s confusing, see Wikipedia’s web of trust.
Encryption is not magic — it can’t tell you if someone forced Dominik to sign a malicious file. It can’t tell you that he keeps his key safe or that he is trustworthy to begin with. Encryption can only prove that this particular file was signed by someone who had access to “Dominik”‘s private key. I put his name in scare quotes because of course “Dominik” could be a pseudonym, or a group of people, etc., etc. This part of public key cryptography seems to confuse a lot of people. Anyway…
The last step is to verify the file. I will use Windows PowerShell:
PS C:\Users\techencoder\Downloads> gpg --verify .\KeePass-2.28-Setup.exe.asc .\KeePass-2.28-Setup.exe
gpg: Signature made 10/07/14 11:11:53 Central Daylight Time using DSA key ID FEB7C7BC
gpg: Good signature from "Dominik Reichl <firstname.lastname@example.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2171 BEEA D0DD 92A1 8065 5626 DCCA A5B3 FEB7 C7BC
As you can see, I’ve yet to sign Dominik’s key.
WARNING: This key is not certified with a trusted signature! is just a reminder that his key is not part of my web of trust. Should I ever want to add his key, I would ask him to tell me the fingerprint in person, over the phone, or in some other offline communication. Then I can safely know that the key is owned by that person I talked to offline.
I’m now a certified Esri Web Application Developer for ArcGIS 10.2 (EWDA102).
Email me if you need to see the online transcript.
Here’s a Windows command line example for
gpg message encryption.
echo "Hi John," "Here's our server admin info:" "username=admin" "password=2d!5-e9.6e8:AA~77/Vq" | gpg --encrypt --sign --armor -r email@example.com --output c:\temp\message.txt
Install the open source Gpg4win to use gpg. Gpg4win is a email and file encryption package for Windows that includes the open source Gnu Privacy Guard. It implements the OpenPGP standard and is widely used to sign, verify, encrypt, and decrypt data.
Checking an installer’s hash/digest is a good security best practice, but Windows doesn’t have a built-in program for that. While PowerShell scripts can do these kinds of calculations, the commands are verbose and hard to remember. Enter Gpg4win…
Gpg4win is a email and file encryption package for Windows that includes the open source Gnu Privacy Guard. It implements the OpenPGP standard and is widely used to sign, verify, encrypt, and decrypt data.
--print-md is a command to calculate a hash using md5, sha1, sha256, and more:
gpg --print-md md5 .\setup.exe
gpg --print-md sha1 .\setup.exe
gpg --print-md sha256 .\setup.exe
Or use the
* parameter to show all formats:
gpg --print-md * .\setup.exe