Verify digital signatures

This topic describes how to verify that your IBM Passport Advantage software download is valid and has been signed by IBM.

To incorporate secure code signing of IBM Informix releases, starting Informix Server 14.10.xC9, the tar/zip file contains:
  • Original *.zip or *.tar media file
  • The signature file with the same name as the media file with .sig extension.
  • Informix public key file: informix.pem
  1. You can verify the file using the signature and public key file with the OpenSSL command. 
    openssl dgst -sha256 -verify informix.pem -signature <SIGNATUREFILENAME> <FILETOSIGN>

    -verify takes the public key *.pem file provided by the release

    -signature takes the *.sig file provided by the release

    -<FILETOSIGN> is the actual release .tar or .zip file provided in the release

  2. You can optionally verify the contents of the public key by comparing the contents of the informix.pem file with the output below:
    -----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzXoa2nQuM7FZR/qRPl19
T29KR/VUQ714L76d+DGyEJLX9jXXMcCqg/FveV/Y2t/iEZ5hs9XL9BCvEzibrkV/
twFBSqUw3p9944RJVt7L5gdo9RiyI/EshWXyKur5izKOJ2fm9AJGf6H+jxmSFtVk
4XHFCL9X+tNXG2GxC49qP6oy26l126eU4fKbyHziRJU0t7Bum6m0Ghdky9lrDzZl
WJyS48uqI8PqKbBNRura1V5bq8ebumRrbXY9NdbZLcFKGNSUnQcbi7YNWUQ7T6Rz
5shAMnM3GOREetbICpBV7xn9PMW9L3T8YlmFqHbzUlS72p2Jy5DxAelM59TZ8Lbe
6A+Oq4/qmhUgkTNDQFOhZIpfj6ub+zOJEdMnnLKNmMyt0eQLwMLdJKY9ToEP8VX0
oT3H5//cnyFJLmt82bVzGdBR3fGXBietZr5Uf3NlCUlo4F/h/NJ8iCNCfmHEwX84
cUjt7Qz5ET3+mZ4xiZDcMQEblq5OiQn2/nuMo97P5uQzbINBNqPKVadVmt50dSq7
FcbEFpydR5fWa3ef4T7aW1wTUKmYZBuJfPax7EnZZgoVR/iS0S9MDTU8OzzfMteq
F8MslgLiPDYyVGN8NelREgzBYWBBvsbpWQfWyD6mXQgqxj0a2gPO0meV0ZOCjclk
eF01qVzkN+L/+Er5jAzmNQECAwEAAQ==
-----END PUBLIC KEY-----
    Note: Even if you do not need the verification, you can still use the package.
    Note: 14.10.xC10 and 14.10.xC10W1 Media contain incorrect contents in the Public Key file, and the ".sig" file needs to be encoded for OpenSSL verification. Follow these additional steps to verify the signature file:

    • Copy the following contents for the informix.pem into a file (you can replace informix.pem or create a new one). 
      -----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5p2iJ/A+hwsUeXrsQ1Xz
yqlnLmqyhCl6GCrybzW8Vinz5saK1exUQaJMFDWGutWfsd0ArXOg2cyC2o17Ixag
FevGNRKOZ5hxjDXLpM4l68kct3geudR+IfohTr1MRftHl8cQW44fOvSMmyhhgwPH
BdIUm9CUSwVQhd33aARgW9Zc90G/M+2gXTZAfPA3YBszRfsqSLQTJCrZi21udjmq
SBW9tYdI8/ikx8vGhyS8Kl0/r6/gTLEmT9fSywUVIhyXTj/pEGgN9fGK5iDGqNUn
EncPCOoWDROcYzK67An3NKPp5uAA9wa4EOoOW/9BNPTdHzZ95Q47V5lgT3VvrWDo
2DGqLbFNxk62IbPYI97XHOmvVzTnMktHxyGdeGJjwvD+AC6vZhQRI+HO7vcQr6Zd
aODqHD437BKXuL3jBfpIA3YhVC43SMrK5B4LJZAzasOcE0gdeFphFa7ErJEjlK68
P+zjSqdavS7uvAxf1+H9hvkH/wPd83CqBN4CJHJWsbT4+rxRPb6iozJTTgpio0Fc
oN93M8JjLio//Tg3CicZBI6/9Neg6jOj9l6yj7ip3oUqeQJDztDGYT8I++KGyZ47
soo52AdrGyoyx09V+43ACMYNgx3N3VkK0kW8pvNQWLErprE8AZnrczOivC62EWls
5zy67mvtWPIsEarJz19p3Y0CAwEAAQ==
-----END PUBLIC KEY-----
    • Encrypt the .sig file (SIGNATUREFILENAME) into a new filename: 
      (cat  {SIGNATUREFILENAME} ; echo '') | openssl enc -d -base64 -out fixed.sig
    • Verify the fixed signature and media file using the updated informix.pem (or new file from step 1), using the following command: 
      openssl dgst -sha256 -verify informix.pem -signature fixed.sig {FILETOSIGN}
    • Example: For Linux 14.10.FC10 using the new keyfile, and ibm.ids.14.10.FC10.LNX.tar.cosign.sig.new
      $ openssl dgst -sha256 -verify ./informix.pem.pub.key -signature ibm.ids.14.10.FC10.LNX.tar.cosign.sig.new ibm.ids.14.10.FC10.LNX.tar
Verified OK