Securing Update Responses

It is important for devices to be able to verify that information about updates, and the manifests, have not been tampered with. In this way devices can ensure that they only use legitimate download files provided by their software supplier.

The Notification Server therefore provides a /signed-updates/ API (see Signed Updates REST API). This API operates in the same way as the /updates/ API (see Updates), requiring an initial request followed by a periodic poll. The responses, however, are in the form of a JSON Web Token (JWT) and contain a JSON Web Signature (JWS) which can be used to validate the contents of the response.

The response is validated by checking the signature, and if the signature is found to be invalid then the response should not be used because it has been tampered with. To validate the signature, a public key is needed. This public key can be obtained from FlexNet Operations using the updates-service-rest-controller REST API /operations/api/updates/update-signing-key/. You can find instructions on how to use this API in section Update Signing Key REST API. For more details about this API, consult the FlexNet Operations Swagger documentation.

The format of these signed responses, and their detailed use, is described in sections /uai/2.0/signed-updates and /uai/2.0/signed-updates/manifests.

For further information about JSON Web Signatures, refer to https://tools.ietf.org/html/rfc7515. The documentation for your JWS/JWT library will describe how to check the signatures, and decode the responses, programmatically.