Verifying Liberty release packages

Verify the authenticity and integrity of a Liberty release package by using the corresponding signature files and the Liberty public key. Signature files are produced for every package of a Liberty release.

IBM® uses its private key to digitally sign each Liberty release. You can use the Liberty public key to check the signature, verify that IBM Fix Central released the package, and that it was not modified since its release.

[24.0.0.1 and later] In version 24.0.0.1 and later, you can also verify the authenticity of the Liberty public key by using a certificate (.cer) file.

For information about verifying Open Liberty packages on Maven Central, see Verify Open Liberty packages on Maven Central on the Open Liberty website.

Before you begin

Before you can verify a Liberty release package, you must obtain a release package, a signature file, and the Liberty public key. The following table describes the resources that you need to verify a Liberty release package and where to find them.

Table 1. Release verification resources
Resource	Description	Source
Liberty release package	A release package can be one of the following resources: A release archive file An IBM Installation Manager repository An IBM Installation Manager portable installation for z/OS	Obtain your release package from one of the following sources: IBM Passport Advantage Online Passport Advantage customers can download the initial release of the product parts and a corresponding `.sig` files from Passport Advantage Online. IBM Fix Central IBM Fix Central contains all fix packs and interim fixes for the product and corresponding `.sig` files for each release.
Signature (`.sig`) file	IBM provides a signature file for each release package. You can use this file together with the Liberty public key to verify the digital signature of the package	Your signature file is available from the same source that you download your release package from, either Passport Advantage or IBM Fix Central.
Liberty public key	In versions before 24.0.0.1, the public key is a .pem file that corresponds to the Liberty private key that is used to sign each release package. In version 24.0.0.1 and later, the public key is embedded in a .cer file that corresponds to the Liberty private key that is used to sign each release package. Optionally, you can use the .cer file to verify the authenticity of the Liberty public key.	For versions before 24.0.0.1, obtain the Liberty public key as a .pem file from one of the following sources: The Public Key link in your package details on the IBM Fix Central page The PEM link in the Download package section of the Get Started page on the Open Liberty website. Save the public key file from your browser as a `.pem` file. In version 24.0.0.1 and later, obtain the Liberty public key as a .cer file from one of the following sources: The Certificate File link in your package details on the IBM Fix Central page. The CER link in the Download package section of the Get Started page on the Open Liberty website. Save the public key file from your browser as a `.cer` file.

Note: On z/OS systems, the .sig and .cer or .pem files must remain in ASCII format, so transfer them to z/OS as binary files. You might also need to tag the package file that you want to verify as an ASCII text file for the openssl command to correctly validate the file. Before you attempt to verify the release, run the following command to tag the package file as an ASCII text file:

chtag -tc ISO8859-1  23.0.0.2-WS-LIBERTY-ZOS-FP.zip

This example uses the 23.0.0.2-WS-LIBERTY-ZOS-FP.zip release package. Replace the file name value according to the package file that you want to verify.

About this task

[24.0.0.1 and later] In the following task, steps 1 and 2 apply only to Liberty 24.0.0.1 and later releases. In these releases, the Liberty public key is embedded in a .cer file. You can use this file to verify the authenticity of the Liberty public key before you extract it to a new .pem file, which you use to verify the release package.

In versions before 24.0.0.1, the Liberty public key is available only as a .pem file. To verify a release package for these versions, skip to step 3.

In the following examples, replace the WebSphereLiberty_certificate and WebSphere_Liberty_release_package variables with the public key and release package files that you are using to verify a release package.

Procedure

Verify the authenticity of the Liberty public key.

In version 24.0.0.1 and later, the Liberty public key is embedded in the .cer file. Before you extract the key, you can verify that it was produced by IBM. Run the following OpenSSL command from the directory that contains the .cer file:

openssl x509 -text -in WebSphereLiberty_certificate.pem.cer

If the verification is successful, the console displays output that is similar to the following example:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            05:27:40:1b:0d:4a:60:3a:ac:61:e0:d7:20:0d:77:ed
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = "DigiCert, Inc.", CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
        Validity
            Not Before: Jan 13 00:00:00 2023 GMT
            Not After : Jun 26 23:59:59 2024 GMT
        Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM CCSS, CN = International Business Machines Corporation
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
...

-----END CERTIFICATE-----

Extract the Liberty public key from the .cer file.
The Liberty public key is embedded in the .cer file. To extract the key to a new .pem file, run the following command from the directory that contains the .cer file:
```
openssl x509 -inform PEM -in WebSphereLiberty_certificate.pem.cer -pubkey -noout > WebSphereLiberty_certificate.pem
```
You can now use the .pem file to verify the release package.
Verify the authenticity and integrity of the release package.
Navigate to the directory that contains the release package, the corresponding .sig file, and the .pem file. Run the following command to verify the release package:
```
openssl dgst -sha256 -verify WebSphere_Liberty_certificate.pem -signature WebSphere_Liberty_release_package.zip.sig WebSphere_Liberty_release_package.zip
```

Results

If the verification succeeds, the command produces the following console output:

Verified OK