Verifying signature of IBM Spectrum Scale packages

All IBM Spectrum Scale packages for Red Hat® Enterprise Linux® and SLES operating systems on all supported architectures are signed with a GPG (GNU Privacy Guard) key by IBM. The repository metadata is also signed by IBM. You can verify that a IBM Spectrum Scale package and repository metadata are signed by IBM® as follows.
The public key is located in a file that is called SpectrumScale_public_key.pgp and this file is present in the IBM Spectrum® Scale installation images that can be downloaded from IBM Fix Central. For the latest version of the public key, see IBM Spectrum Scale FAQ in IBM Documentation.

If you are using the installation toolkit, no additional steps are required. The installation toolkit checks the signature of each package and the repository metadata automatically before installation or upgrade.

For manual installation or upgrade, if you do not want to verify that the packages are signed, no additional steps are required. The signed packages function the same as the unsigned packages. If you want to manually verify that the packages are signed by IBM, do the following steps.

  1. Import the public key into the RPM database. 
    rpm --import SpectrumScale_public_key.pgp
  2. Confirm that the public key is imported into the RPM database. 
    rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE} \ n%{INSTALLTIME:date} \ n%{SUMMARY}\n\n'  | grep SpectrumScale
  3. Check the package's signature. 
    rpm -K PackageName

    You can check the signature of more than one package by using wildcard characters. For example:

    rpm -K *.rpm.