Verifying SAP Archives (Digital Signature Handling)

SUM offers the option to check the signature of SAP software archives that are located in the download folder.

Context

SAP offers digital signatures for selected software archives that are provided in the software download area of the SAP Support Portal. SAP Note 2342412 Information published on SAP site informs you about software archives and media that are currently signed by SAP. The signature of these archives can be verified during the update procedure.

At the beginning of the update, you can decide on the first dialog of the SUM (on which the download directory is specified) whether to check the authenticity of the archives. After selecting the appropriate checkbox, the Software Update Manager triggers during the update the signature check, which is carried out internally by the SAPCAR tool.

In addition, you can include a Certification Revocation List (CRL), which is provided by SAP and updated on a monthly basis. The CRL contains certifications that were revoked after the delivery of software archives. If you want to perform an additional check for revoked signatures, download the CRL and copy it to the download directory before you start the update.

If any archives with missing or wrong signatures are detected during the update, the Software Update Manager displays a dialog in which these archives are listed. In this case, you can either correct the archives in download directory and run the check again afterwards, or you can ignore the messages and continue with the update.

To correct the download directory, return to the initial dialog on which you find an error message stating that the dialog was canceled by the user.

You can now provide the download directory with new archives with new or updated signatures. Afterwards, keep the option Check archives authenticity selected and repeat the update. The signature check is triggered again. Alternatively, you can now switch off the signature check by deselecting the option. You can then repeat the update with disabled signature checking.

Procedure

On the initial dialog Archive Verification, select the checkbox Check archives authenticity to switch on the signature checking.
Optional: Include the signature revocation list into the signature check by downloading the list from https://tcs.mysap.com/crl/crlbag.p7s and adding it to the download directory.

If SUM does not find a CRL in the download directory, it does not check the signatures for revocation.
Start the update procedure, and correct or ignore missing or wrong signatures.
A dialog is displayed that informs you if missing or wrong signatures are detected. You have the option to either ignore the messages, to correct the archives, or to switch off the signature checking.
- If you want to ignore the messages, select the checkbox Confirm and continue the procedure and choose Next.
- If you want to provide new archives with new or updated signatures, choose Back to return to the initial dialog. Maintain the archives in the download directory, keep Check archives authenticity selected, and choose Next to repeat the update procedure with a new signature check.
- If you want to switch off the signature checking, choose Back to return to the initial dialog. Deselect the checkbox Check archives authenticity, and choose Next to repeat the update procedure but with no further signature check.