Validating switch software
Validating a software image
A software is valid if it has a valid digital signature, which is generated by HPE Code Signing Service (HPECSS). Switches that support digital signature verification will generate an error message if you attempt to download an image that is not digitally signed.
To manually verify the software’s digital signature when the switch does not support digital signature verification, use the following command:
verify signature flash {primary|secondary}If the signature is valid, the following message is displayed:
Signature is valid.
To bypass signature verification, use the allow-no-signature option in the copy command as follows:
copy {tftp|sftp|usb|xmodem} flash [<hostname/IP>] [<filename>] {primary|secondary} allow-no-signaturesThe allow-no-signature option is available on switches that support non-signed legacy software releases and must be used with caution. To determine support for your switch, go to: http://www.hpe.com/networking/swvalidation.
More information
| Software signing and verification |
Software signing and verification
As an enhanced security feature, you can verify whether a software image being downloaded to or stored in your switch has, in fact, been provided by Networking without any modification or corruption.
Validation is based on the image signature that is generated and attached to the switch software by HPE Code Signing Service (HPECSS). Networking implemented digital signature validation starting with specific switch software versions. For a list of these software versions, go to: http://www.hpe.com/networking/swvalidation.
![[NOTE: ]](images/note.gif) | NOTE: Once a switch software image has been digitally signed on a specific version, all later versions will also be signed. |
Switches supporting digital signature verification will generate an error message if you attempt to download an image that is not digitally signed. For example, using the CLI commands described above to revert back to an image that is not signed from an image that is signed and supports verification would result in the following message:
This software image does not contain a digital signature and cannot be validated as originating from HP. You may bypass this validation by using the 'allow no-signature’ option. Please see www.hp.com/networking/swvalidation for information about which versions of software contain digital signatures.
When you use the copy command to download a properly signed image, the CLI logs the following syslog message:
Update: Firmware image contains valid signature.
Errors related to signature validation will generate one of the following log messages:
Update: Aborted. Downloaded file invalid. Update: Aborted. Firmware image does not contain a signature. Update: Aborted. Firmware image signature is not valid.