Signature verification by using PGP

You can verify the integrity of files to ensure that they originated from IBM and are not modified.

About this task

You can use code signatures to verify that a downloaded file was created by IBM and that no bits in the file were changed. The signature files that are used are *.asc. The key/cert file is APICHURSLEY.pub.pgp.

Procedure

  1. Import the public key. 
    $ gpg --import APICHURSLEY.pub.pgp
gpg: key D43AB29897005BF2: public key "APICHURSLEY" imported
gpg: Total number processed: 1
gpg:               imported: 1
    $ gpg --list-key --fingerprint APICHURSLEY
pub   rsa2048 2020-02-17 [SCEA]
      1467 C004 A754 4718 7C6B  19DF D43A B298 9700 5BF2
uid           [ unknown] APICHURSLEY
    When the key is imported, it does not need to be imported again. It is not signed, but you should make a note of the fingerprint so you can compare to make sure that the key is IBM's: 
    1467 C004 A754 4718 7C6B 19DF D43A B298 9700 5BF2
  2. Verify the files. 
    $ $ gpg --verify helper_files.zip.asc
gpg: assuming signed data in 'helper_files.zip'
gpg: Signature made Mon 28 Sep 17:35:17 2020 PDT
gpg:                using RSA key D43AB29897005BF2
gpg: Good signature from "APICHURSLEY" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1467 C004 A754 4718 7C6B  19DF D43A B298 9700 5BF2
    The verification shows that the key matches the signature and that shows the fingerprint of the key, which should match the import: 
    1467 C004 A754 4718 7C6B 19DF D43A B298 9700 5BF2