General Page
File hashes and code signatures are provided for IBM App Connect Enterprise release binary files and are used to validate that a download is not corrupted or tampered with.
From IBM Integration Bus 10.1.0.3, IBM App Connect Enterprise 11.0.0.24, and IBM App Connect Enterprise 12.0.10.1 onward, release binary files on Fix Central are hashed and signed. The hashes and signatures are used to verify that the file downloaded came from IBM, and is not corrupted or modified. The table shows the hashes and signatures available on each platform.
Platform | SHA-256 Hash | SHA-512 Hash | RSA SHA-256 signature (.sig file) | Microsoft Authenticode |
---|---|---|---|---|
AIX | Yes | Yes | Yes | No |
Linux | Yes | Yes | Yes | No |
Windows | Yes | Yes | Yes | Yes |
SHA-256 and SHA-512 hashes
SHA-256 and SHA-512 hashes are provided in files that end in .sha256 and .sha512 respectively. Hashes can be verified on any platform that has the necessary tools. You do not need to run the verification on the same machine you do the final installation on, though it is recommended. For example, you can use Microsoft Windows to verify the hashes of an AIX installation image.
On Linux and AIX, download the hash file into the same folder that contains the release archive and then use sha256sum -c or sha512sum -c commands and pass in the hash file name, to validate the release binary file.
For example, if the release archive is 12.0-ACE-LINUXX64-12.0.10.1.tar.gz then the hash files are 12.0-ACE-LINUXX64-12.0.10.1.tar.gz.sha256 and 12.0-ACE-LINUXX64-12.0.10.1.tar.gz.sha512. Execute sha256sum -c 12.0-ACE-LINUXX64-12.0.10.1.tar.gz.sha256 and sha512 -c 12.0-ACE-LINUXX64-12.0.10.1.tar.gz.sha512 to validate sha256 and sha512 hash files
$ ls -1 .
12.0-ACE-LINUXX64-12.0.10.1.tar.gz
12.0-ACE-LINUXX64-12.0.10.1.tar.gz.sha256
12.0-ACE-LINUXX64-12.0.10.1.tar.gz.sha512
$ sha256sum -c 12.0-ACE-LINUXX64-12.0.10.1.tar.gz.sha256
12.0-ACE-LINUXX64-12.0.10.1.tar.gz: OK
$ sha512sum -c 12.0-ACE-LINUXX64-12.0.10.1.tar.gz.sha512
12.0-ACE-LINUXX64-12.0.10.1.tar.gz: OK
On Windows, the PowerShell system utility can be used to validate the hashes. Launch a PowerShell command prompt, either from the Start menu or by running the powershell command in a regular command prompt window, and use the Get-FileHash function to compute the hashes of the archive. You can then comapre them against the hash files:
PS C:\files> $sha256 = (Get-FileHash -Algorithm SHA256 .\12.0-ACE-WINX64-12.0.10.1.zip).Hash
PS C:\files> $sha512 = (Get-FileHash -Algorithm SHA512 .\12.0-ACE-WINX64-12.0.10.1.zip).Hash
PS C:\files> $expectedSha256 = (Get-Content .\12.0-ACE-WINX64-12.0.10.1.zip.sha256).Substring(0, 64)
PS C:\files> $expectedSha512 = (Get-Content .\12.0-ACE-WINX64-12.0.10.1.zip.sha512).Substring(0, 128)
PS C:\files> if ($sha256 -eq $expectedSha256) { Write-Output "SHA-256 check passed" } else { Write-Error "SHA-512 check failed" }
SHA-256 check passed
PS C:\files> if ($sha512 -eq $expectedSha512) { Write-Output "SHA-512 check passed" } else { Write-Error "SHA-512 check failed" }
SHA-512 check passed
RSA SHA-256 Signature (.sig file)
On Linux, Windows and AIX, a stand-alone cryptographic signature file is provided. The RSA SHA-256 signature is implemented by using the following files:
- .sig file - A binary file that contains the RSA SHA-256 PKCS#1 signature of the release archive.
- .pem file - An RSA public key encoded in the PEM format. This is the public key for the IBM private key that produced the .sig file.
- .cer file - A code signing certificate that is issued to IBM encoded in the PEM format. This certificate has the same public key that is in the .pem file.
- .chain file - A set of certificates encoded in the PEM format. These certificates provide the issuer chain for the .cer file and verify the chain of trust from IBM back to a known root certificate authority.
Note: The public key/certificate/issuer chain that is used might vary between platforms and releases. Ensure you are using the correct set of files for the verification to succeed. The certificates have a fixed expiry date, and after this time it might not be possible to completely verify the chain of trust. IBM does not re-issue signatures for releases once their corresponding certificate has expired.
Multiple tools exist that can verify a SHA-256 hash and an RSA signature match, see provided instructions for using the OpenSSL command line tool (available on all supported IIB/ACE platforms).
Use the following four-step process to validate the RSA SHA-256 signature. Pay close attention to which files are used in which steps. The output below is trimmed for brevity and is informational only. The actual certificate data, validity dates, and so on, vary.
- Verify the integrity of the release archive by using the signature and public key.
$ openssl dgst -verify 12.0.10-ACE-LINUXX64-FP0001.tar.gz.pem \ -keyform PEM \ -sha256 \ -signature 12.0-ACE-LINUXX64-12.0.10.1.tar.gz.sig \ -binary 12.0-ACE-LINUXX64-12.0.10.1.tar.gz Verified OK
- Show the public key information.
$ openssl rsa -in 12.0-ACE-LINUXX64-12.0.10.1.tar.gz.pem \ -inform PEM -noout -pubin -text Public-Key: (4096 bit) Modulus: ... Exponent: 65537 (0x10001)
- Show the details of the certificate, confirm that the subject is IBM, and that the public key matches the .pem file.
$ openssl x509 -in 12.0-ACE-LINUXX64-12.0.10.1.tar.gz.cer -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 04:4b:6d:f8:97:14:30:6a:12:50:f1:4c:5e:3b:d1:5d Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = "DigiCert, Inc.", CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 Validity Not Before: Jan 13 00:00:00 2023 GMT Not After : Jul 25 23:59:59 2024 GMT Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM CCSS, CN = International Business Machines Corporation Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: ... Exponent: 65537 (0x10001) ...
The information listed under the "Subject Public Key Info" section here should show the same key size, modulus, and exponent from step 2. - Verify the status of the certificate using the OCSP protocol. This must be done during the certificate validity period, after the certificate expires it does not work.
$ openssl ocsp -issuer 12.0-ACE-LINUXX64-12.0.10.1.tar.gz.chain \ -cert 12.0-ACE-LINUXX64-12.0.10.1.tar.gz.cer \ -VAfile 12.0-ACE-LINUXX64-12.0.10.1.tar.gz.chain \ -no_nonce -text -url http://ocsp.digicert.com ... Response verify OK 12.0-ACE-LINUXX64-12.0.10.1.tar.gz.cer: good ...
Microsoft Authenticode signatures
Windows releases have embedded digital signatures by using the built-in Windows feature of Authenticode signatures. For IBM Integration Bus for z/OS v10.1 and IBM App Connect Enterprise v11 the release download is a stand-alone installer executable, whereas for IBM App Connect Enterprise v12 it is a ZIP file containing the installer executable and .cab files. The installer executable and all the .cab files contain the embedded signatures. Authenticode signatures can be verified graphically by using the Windows Explorer or on the command line using PowerShell. Unlike the other methods discussed, which work cross-platform, a Windows system must be used to validate the Authenticode signatures.
Validating the Authenticode signatures by using Windows Explorer
To validate the signature on the installer:
- Open Windows Explorer and navigate to the folder where you downloaded the installer executable, or extracted the ZIP bundle.
- Right-click the installer executable and select "Properties".
- Click the Digital Signatures tab in the Properties window.
- Select the signature from the list and click "Details".
- Note the message stating "This digital signature is OK." and review the details of the signature to confirm that is from IBM.
- Close the Digital Signature Details window and the Properties window for the ACE installer.
For IBM App Connect Enterprise v12.0, follow these additional steps for each .cab file included with the installer:
- Select a .cab file (Cabinet File) included with the installer, right click it and open its Properties window.
- Select the Digital Signatures tab in the .cab file Properties window.
- Select the digital signature from the list and click Details.
- Note the message stating "This digital signature is OK." and review the details of the signature to confirm that it is from IBM.
This completes the validation of the digital signatures for the Windows installer and its .cab files.
Validating the Authenticode signatures using PowerShell
Use the Get-AuthenticodeSignature command to get and validate the Authenticode signature for the installer. Check that the signer is IBM, that the Status is "Valid" and the StatusMessage is "Signature verified."
PS C:\12.0.11-ACE-WINX64-FP0000> Get-AuthenticodeSignature .\ACESetup12.3651.11.0.exe | Format-List -Property *
SignerCertificate : [Subject]
CN=International Business Machines Corporation, OU=IBM CCSS, O=International Business Machines Corporation, L=Armonk, S=New York, C=US
[Issuer]
CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
[Serial Number]
044B6DF89714306A1250F14C5E3BD15D
[Not Before]
1/13/2023 12:00:00 AM
[Not After]
7/26/2024 12:59:59 AM
[Thumbprint]
1F5AACA95D61F3680A87DA00801B556564632CF3
TimeStamperCertificate : [Subject]
CN=DigiCert Timestamp 2023, O="DigiCert, Inc.", C=US
[Issuer]
CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA, O="DigiCert, Inc.", C=US
[Serial Number]
0544AFF3949D0839A6BFDB3F5FE56116
[Not Before]
7/14/2023 1:00:00 AM
[Not After]
10/14/2034 12:59:59 AM
[Thumbprint]
66F02B32C2C2C90F825DCEAA8AC9C64F199CCF40
Status : Valid
StatusMessage : Signature verified.
Path : C:\12.0.11-ACE-WINX64-FP0000\ACESetup12.3651.11.0.exe
SignatureType : Authenticode
IsOSBinary : False
Use the same command to validate the Authenticode signatures of the .cab files for IBM App Connect Enterprise v12 in the same way, for example:
PS C:\12.0.11-ACE-WINX64-FP0000> Get-AuthenticodeSignature .\ACEtk1.cab | Format-List -Property *
SignerCertificate : [Subject]
CN=International Business Machines Corporation, OU=IBM CCSS, O=International Business Machines Corporation, L=Armonk, S=New York, C=US
[Issuer]
CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
[Serial Number]
044B6DF89714306A1250F14C5E3BD15D
[Not Before]
1/13/2023 12:00:00 AM
[Not After]
7/26/2024 12:59:59 AM
[Thumbprint]
1F5AACA95D61F3680A87DA00801B556564632CF3
TimeStamperCertificate : [Subject]
CN=DigiCert Timestamp 2023, O="DigiCert, Inc.", C=US
[Issuer]
CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA, O="DigiCert, Inc.", C=US
[Serial Number]
0544AFF3949D0839A6BFDB3F5FE56116
[Not Before]
7/14/2023 1:00:00 AM
[Not After]
10/14/2034 12:59:59 AM
[Thumbprint]
66F02B32C2C2C90F825DCEAA8AC9C64F199CCF40
Status : Valid
StatusMessage : Signature verified.
Path : C:\12.0.11-ACE-WINX64-FP0000\ACEtk1.cab
SignatureType : Authenticode
IsOSBinary : False
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSDR5J","label":"IBM App Connect Enterprise"},"ARM Category":[{"code":"a8m0z000000cviGAAQ","label":"ACE-\u003ERuntime"}],"Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Type":"MASTER"}]
Was this topic helpful?
Document Information
Modified date:
15 November 2023
UID
ibm17062338