Downloading the sedex Client installer¶
Download one of the sedex Client installer programs from the Downloads section.
- For Windows systems, the Windows installer program (EXE) is recommended.
- For all other systems, the JAR installer program must be used.
How to verify the sedex Client installer¶
1. Ensure that the checksum is correct¶
The checksum is used to ensure that the file was not corrupted during download. You should compare the checksum of the received file with the value provided by sedex to ensure that the received file is complete and unchanged.
On Windows systems¶
Open a Windows Powershell and enter the following command to calculate the Sha256 hash:
Get-FileHash sedex-client-7.0.4.exe
On Linux system¶
Enter the following command to calculate the Sha256 hash:
sha256sum ./sedex-client-7.0.4.jar
2. Verify the publisher¶
The exe and jar installation program is digitally signed by the publisher "Bundesamt für Informatik und Telekommunikation". To check that the file originates from sedex and has not been altered, the signature can be checked as follows
EXE file / Windows systems¶
One way to check the authenticity and integrity of the sedex client installer under Windows is to simply run the file. Windows will automatically check the digitally signed file and allow the origin to be displayed based on the signing certificate.
Make sure that the verified publisher is "Bundesamt für Informatik und Telekommunikation"
If you display the details, the certificate must be issued to "CN=Bundesamt für Informatik und Telekommunikation, O=Bundesamt für Informatik und Telekommunikation, L=Zollikofen, C=CH" and the issuer of the certificate must be "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1".
JAR file / all systems¶
One way to check the authenticity and integrity of the sedex client installer in jar format is to explicitly verify the signing certificate using the java jarsigner:
Where do I find jarsigner?
As the Jarsigner tool is not included in the commonly used Java Runtime Environment (JRE), the Java Development Kit (JDK) must be installed in order to use it. A suitable JDK is Eclipse Temurin from Adoptium.
jarsigner -verify -strict -verbose -certs sedex-client-7.0.4.jar
Make sure that there are no verification errors and that the certificate subject for all files in the jar is "CN=Bundesamt für Informatik und Telekommunikation, O=Bundesamt für Informatik und Telekommunikation, L=Zollikofen, C=CH".
- Signed by "CN=Bundesamt für Informatik und Telekommunikation, O=Bundesamt für Informatik und Telekommunikation, L=Zollikofen, C=CH"
Digest algorithm: SHA-256
Signature algorithm: SHA256withRSA, 3072-bit key
Timestamped by "CN=DigiCert Timestamp 2023, O="DigiCert, Inc.", C=US" on Fri Oct 13 11:35:54 UTC 2023
Timestamp digest algorithm: SHA-256
Timestamp signature algorithm: SHA256withRSA, 4096-bit key
jar verified.
The signer certificate will expire on 2024-09-04.
The timestamp will expire on 2031-11-10.