Verifying Liberty release packages
Verify the authenticity and integrity of a Liberty release package by using the corresponding signature files and the Liberty public key. Signature files are produced for every package of a Liberty release.
IBM® uses its private key to digitally sign each Liberty release. You can use the Liberty public key to check the signature, verify that IBM Fix Central released the package, and that it was not modified since its release.
In version 24.0.0.1 and later, you can also verify the authenticity of the Liberty public key by using a certificate (.cer) file.
For information about verifying Open Liberty packages on Maven Central, see Verify Open Liberty packages on Maven Central on the Open Liberty website.
Before you begin
Before you can verify a Liberty release package, you must obtain a release package, a signature file, and the Liberty public key. The following table describes the resources that you need to verify a Liberty release package and where to find them.
Resource | Description | Source |
---|---|---|
Liberty release package | A release package can be one of the following resources:
|
Obtain your release package from one of the following sources:
|
Signature (.sig ) file |
IBM provides a signature file for each release package. You can use this file together with the Liberty public key to verify the digital signature of the package |
Your signature file is available from the same source that you download your release package from, either Passport Advantage or IBM Fix Central. |
Liberty public key |
In versions before 24.0.0.1, the public key is a .pem file that corresponds to the Liberty private key that is used to sign each release package. In version 24.0.0.1 and later, the public key is embedded in a .cer file that corresponds to the Liberty private key that is used to sign each release package. Optionally, you can use the .cer file to verify the authenticity of the Liberty public key. |
For versions before 24.0.0.1, obtain the Liberty public key as a .pem
file from one of the following sources:
In version 24.0.0.1 and later, obtain the Liberty public key as a .cer
file from one of the following sources:
|
openssl
command to correctly validate the file. Before you attempt to verify
the release, run the following command to tag the package file as an ASCII text
file:chtag -tc ISO8859-1 23.0.0.2-WS-LIBERTY-ZOS-FP.zip
This example uses
the 23.0.0.2-WS-LIBERTY-ZOS-FP.zip
release package. Replace the file name value
according to the package file that you want to verify.About this task
In the following task, steps 1 and 2 apply only to Liberty 24.0.0.1 and later releases. In these releases, the Liberty public key is embedded in a .cer file. You can use this file to verify the authenticity of the Liberty public key before you extract it to a new .pem file, which you use to verify the release package.
In versions before 24.0.0.1, the Liberty public key is available only as a .pem file. To verify a release package for these versions, skip to step 3.
In the following examples, replace the WebSphereLiberty_certificate and WebSphere_Liberty_release_package variables with the public key and release package files that you are using to verify a release package.
Procedure
Results
Verified OK