Verify digital signatures
This topic describes how to verify that your IBM Passport Advantage software download is valid and has been signed by IBM.
To incorporate secure code signing of IBM Informix releases, starting Informix Server 14.10.xC9,
the tar/zip file contains:
- Original *.zip or *.tar media file
- The signature file with the same name as the media file with .sig extension.
- Informix public key file: informix.pem
- You can verify the file using the signature and public key file with the OpenSSL command.
openssl dgst -sha256 -verify informix.pem -signature <SIGNATUREFILENAME> <FILETOSIGN>
-verify takes the public key *.pem file provided by the release
-signature takes the *.sig file provided by the release
-<FILETOSIGN> is the actual release .tar or .zip file provided in the release
- You can optionally verify the contents of the public key by comparing the contents of the
informix.pem file with the output below:
-----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzXoa2nQuM7FZR/qRPl19 T29KR/VUQ714L76d+DGyEJLX9jXXMcCqg/FveV/Y2t/iEZ5hs9XL9BCvEzibrkV/ twFBSqUw3p9944RJVt7L5gdo9RiyI/EshWXyKur5izKOJ2fm9AJGf6H+jxmSFtVk 4XHFCL9X+tNXG2GxC49qP6oy26l126eU4fKbyHziRJU0t7Bum6m0Ghdky9lrDzZl WJyS48uqI8PqKbBNRura1V5bq8ebumRrbXY9NdbZLcFKGNSUnQcbi7YNWUQ7T6Rz 5shAMnM3GOREetbICpBV7xn9PMW9L3T8YlmFqHbzUlS72p2Jy5DxAelM59TZ8Lbe 6A+Oq4/qmhUgkTNDQFOhZIpfj6ub+zOJEdMnnLKNmMyt0eQLwMLdJKY9ToEP8VX0 oT3H5//cnyFJLmt82bVzGdBR3fGXBietZr5Uf3NlCUlo4F/h/NJ8iCNCfmHEwX84 cUjt7Qz5ET3+mZ4xiZDcMQEblq5OiQn2/nuMo97P5uQzbINBNqPKVadVmt50dSq7 FcbEFpydR5fWa3ef4T7aW1wTUKmYZBuJfPax7EnZZgoVR/iS0S9MDTU8OzzfMteq F8MslgLiPDYyVGN8NelREgzBYWBBvsbpWQfWyD6mXQgqxj0a2gPO0meV0ZOCjclk eF01qVzkN+L/+Er5jAzmNQECAwEAAQ== -----END PUBLIC KEY-----
Note: Even if you do not need the verification, you can still use the package.Note: 14.10.xC10 and 14.10.xC10W1 Media contain incorrect contents in the Public Key file, and the ".sig" file needs to be encoded for OpenSSL verification. Follow these additional steps to verify the signature file:
- Copy the following contents for the informix.pem into a file (you can replace informix.pem or
create a new one).
-----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5p2iJ/A+hwsUeXrsQ1Xz yqlnLmqyhCl6GCrybzW8Vinz5saK1exUQaJMFDWGutWfsd0ArXOg2cyC2o17Ixag FevGNRKOZ5hxjDXLpM4l68kct3geudR+IfohTr1MRftHl8cQW44fOvSMmyhhgwPH BdIUm9CUSwVQhd33aARgW9Zc90G/M+2gXTZAfPA3YBszRfsqSLQTJCrZi21udjmq SBW9tYdI8/ikx8vGhyS8Kl0/r6/gTLEmT9fSywUVIhyXTj/pEGgN9fGK5iDGqNUn EncPCOoWDROcYzK67An3NKPp5uAA9wa4EOoOW/9BNPTdHzZ95Q47V5lgT3VvrWDo 2DGqLbFNxk62IbPYI97XHOmvVzTnMktHxyGdeGJjwvD+AC6vZhQRI+HO7vcQr6Zd aODqHD437BKXuL3jBfpIA3YhVC43SMrK5B4LJZAzasOcE0gdeFphFa7ErJEjlK68 P+zjSqdavS7uvAxf1+H9hvkH/wPd83CqBN4CJHJWsbT4+rxRPb6iozJTTgpio0Fc oN93M8JjLio//Tg3CicZBI6/9Neg6jOj9l6yj7ip3oUqeQJDztDGYT8I++KGyZ47 soo52AdrGyoyx09V+43ACMYNgx3N3VkK0kW8pvNQWLErprE8AZnrczOivC62EWls 5zy67mvtWPIsEarJz19p3Y0CAwEAAQ== -----END PUBLIC KEY-----
- Encrypt the .sig file (SIGNATUREFILENAME) into a new filename:
(cat {SIGNATUREFILENAME} ; echo '') | openssl enc -d -base64 -out fixed.sig
- Verify the fixed signature and media file using the updated informix.pem (or new file from step
1), using the following command:
openssl dgst -sha256 -verify informix.pem -signature fixed.sig {FILETOSIGN}
- Example: For Linux 14.10.FC10 using the new keyfile, and
ibm.ids.14.10.FC10.LNX.tar.cosign.sig.new
$ openssl dgst -sha256 -verify ./informix.pem.pub.key -signature ibm.ids.14.10.FC10.LNX.tar.cosign.sig.new ibm.ids.14.10.FC10.LNX.tar Verified OK
- Copy the following contents for the informix.pem into a file (you can replace informix.pem or
create a new one).