For security reasons, iManage Auto Updates requires the update.ini file to be signed using a signature file. You can generate and verify the signature file using the ConfigFileSigner.exe utility.

NOTE:

OpenSSL is used to generate signatures and an OpenSSL environment variable must be available in the path or working directory from where the ConfigFileSigner.exe tool is being run.

To generate signature files and verify these files using the ConfigFileSigner.exe utility, do the following: 

  1. Make sure that the update server includes the following files.

    • pubcert.crt

    • update.ini

    • updateinfo.json

    • imanageinstaller.ts1

    • imanageinstaller.ts2

    • imanageinstaller.ts3

    • ConfigFileSigner.exe

    • iManageUpdaterRest.exe

    • iManageUpdaterToast.exe

    • iManageUpdaterVerify.exe

    • sign.txt
      You can download the above files from iManage Auto Updates server.

  2. Run the following command to generate the signature file. 
    ConfigFileSigner.exe -sign <pathtoprivate.key> <pathToUpdate.ini>

    This creates the sign.txt in the working directory by running the following command: 

    openssl.exe dgst -sha256 -sign \"" + sArgs[1] + "\" -out sign.txt \"" + sArgs[2] + "\".

    Alternatively, upload the new sign.txt, and pubcert.crt files to iManage Control Center. iManage Work Desktop for Windows downloads these files to %ProgramData%\iManage\AgentServices\CentralizedConfigs and iManage Updater reads all information from this file.

  3. Set the following registry key settings in the client machine to match the subject and the issuer. 

    • Location: HKEY_LOCAL_MACHINE\Software\iManage\AgentServices\AutoUpdate  

    • Key: Issuer

    • Type: String (REG_SZ)

    • Value<Issuer value>

    • Location: HKEY_LOCAL_MACHINE\Software\iManage\AgentServices\AutoUpdate  

    • Key: Subject

    • Type: String (REG_SZ)

    • Value<subject value>

  4. Run the following command to validate the signature file. 

    ConfigFileSigner.exe -verify <pathtopublickey.pem> <pathtosign.txt> <pathtopublickey.crt> <pathtoupdate.ini>

    This creates the SigVerify.txt file by running the following command and verifies if the signature for the update.ini file matches the update.ini file.

    openssl.exe dgst -sha256 -verify \"" + sArgs[1] + "\" -signature \"" + sArgs[2] + "\" \"" + sArgs[4] + "\"

    ConfigFileSigner runs the following command to create the CrtVerify.txt file. This verifies the subject and issuer of the keys supplied. This file also contains the output values for both issuer and subject.

    openssl.exe x509 -in " + sArgs[3] + " -text -out " + sOutputCrtFile

Make sure the values for the Issuer and Subject registry settings are set to the organization value available in the pubcert.crt. If you don't use the organization value for Issuer and Subject, signature validation fails.

The SigVerify.txt and CrtVerify.txt files are located at %ProgramData%\iManage\AgentServices\Logs.

The debug logs for verify commands are logged to %temp%\SignerUtil.log. A typical successful log looks as follows:

8/25/2020 8:33:48 AM Could not find value for EnvVar OPENSSLPATH. Commands will expect openssl is in the PATH or in working directory
8/25/2020 8:33:48 AM Openssl dgst verify command executed. Verification was successful.
8/25/2020 8:33:49 AM Using iManage cert default issuer value
8/25/2020 8:33:49 AM Using iManage cert default subject value
8/25/2020 8:33:49 AM Comparison of issuers was a match. Proceeding
8/25/2020 8:33:49 AM Comparison of subjects was a match. Proceeding
8/25/2020 8:33:49 AM Verification of signed update.ini was successful.

Make sure that matching OpenSSL and supporting files are available else iManage Auto Updates fails. Set the registry data to match Subject and Issuer values. Don't store your private key on the Auto Updates server.