Verifying the integrity of IBM product files

You can verify the integrity of files to ensure that they originated from IBM and are not modified.

Before you begin

Import the public key so you can use it to verify files. You only need to import the public key once.

  1. Install gpg (GNU Privacy Guard), available at https://www.gnupg.org/.

  2. Create a file called PRD0003216key.pub.gpg and copy the following content into the file:
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    
    mQINBGP+Fr0BEADz5ppiT+RhdOw+PihTcMirn4umuinsTU66qpWZES+aLmSjw3Ik
    BUlD0GQkJDn6qqZyMhYUwaLVicTtLrChykzfkd3Cdzis0WRsCJNdpuLIV9OS8L9a
    zCMn09lHQgaf4+eYpDYOm5OBmRP+wqP3iJrC9dVho8oRaFUBmWi30Hak+YE8xBDU
    bsigBCRuLxvtQJUTHXYK8lXdRQQz2acxTeo2+ozAsR594QZSCPuv9dBV93tKvbG0
    mzLyrWUZKOACZuY5Uh2SVsvnwC5jZYd+KdaffzrdgR8/MFMKAIPsQNFExta5zaiN
    ENhtwZd+XsUF7Jngij/oC30GI58WEP+iRHUduhx/olmqyVnOt+yeY+qtxCwss+88
    azChYSdlGP540BqUZIcM1IvibbL8LqrCcOpOXCuHG/z44co1Ic1r9bveHYUUrhtv
    kXS1fLQF3y44Oz+zf9rEah8CwmL5mQxqOeGszx+2bygxajqBJH28+H/MTMgbMsDJ
    Y5M1PyojQLcv5+PO7vNs0w+IBWKzyJIFoSXI3jzGR53vXlyUJ3JgAGXQiIdo7LZl
    Wa6WFoJkOnESRjfY00MRIoPdtvEJ99mzr09vwEvhEPsJfo0LkOGAkjjAq6E6Ihto
    BBX+YlAASupnIuJBg9uV790YuCBPkDsQ+JrgIUTShE3Vu6MGMNfL3cxpxwARAQAB
    tB1BUElDb25uZWN0IDxwc2lydEB1cy5pYm0uY29tPokCOgQTAQgAJAUCY/4WvQIb
    DwULCQgHAgYVCgkICwIEFgIDAQIeAQUJAAAAAAAKCRACDta12+ZfO3RlD/9fl0cH
    R683l3LP9we/BSMjEzv+Ik3R8/nGlZ+huvekaNQp9nJxyhU3vkF89N6NTEzh7m78
    m7dpRkwnJDNyd/AP7ACvqjqYSXUx49sw3ctyWxMqtiRaQb9ChR8vLIrybmQBoukQ
    9p9h9DN+sNPz55AubZ/2kIu8mXDSgALyM3ULTqFRydAXtCNQ0/+iov443nvyyfSM
    drfJOfi7xvxNnRGkubRnAC3Qyyyz/k/H9cb0HRmXKQxrxLwGuRiz0MrbYu9tqCJN
    Zm9+Xs/AsW5R5iGu4aPpVIMayUWlU8fWhPmapqrN0JlGsfid38WXiCtYAqX8PbbT
    vzy4ZDx6aJiPsKb66DuhmS5OJjvud480uTBaJBx7PKdqlL+VN7zjPQ8TKCO/qMcc
    lLrBsVavQr1tLHi4EU8QzZyfIYvAMQZ9gL9FXqhCXUo1rz4qHytOikeK3XaStI+D
    639LPfuiw+BJwDtLuJIaMVUyb+U/XBvCRGYmyZ8k3UUgDSj0wbtBHdXt4zSLdEhR
    n1jegzLd248igap8bzDM0cWaji4YvvxLlOE2K9wWJj+cCU4+3PJuLv8wKmfIWp6j
    Dv4il41RuROWkVJrj+U35B6dVGM7xOqk8WyFL548M7jimrs0gI+j2wxrKZtkqqOf
    SzD8H00SJnD4HLhYmaatHuhiLJkXwB1wHeLO5g==
    =1Zs0
    -----END PGP PUBLIC KEY BLOCK-----
    
  3. Run the following command to import the public key to gpg:
    gpg --import PRD0003216key.pub.gpg

    For example:

    $ gpg --import PRD0003216key.pub.gpg
    gpg: key 020ED6B5DBE65F3B: public key "APIConnect <psirt@us.ibm.com>" imported
    gpg: Total number processed: 1
    gpg:               imported: 1
  4. Run the following command to verify that the key was imported successfully:
    gpg --list-key --fingerprint APIConnect

    Make sure that the output of the command matches the following information:

    $ gpg --list-key --fingerprint APIConnect
    pub   rsa4096 2023-02-28 [SCE]
          39ED 1634 5FCD EDB5 D6ED  E860 020E D6B5 DBE6 5F3B
    uid           [ unknown] APIConnect <psirt@us.ibm.com>

Procedure

Complete the following steps to verify product files for API Connect:

  1. Visit IBM Fix Central and download the appropriate signatures_<version>.zip file for the version of API Connect that you will install or upgrade to.

    Extract the signatures_<version>.zip file to the folder containing the files that you want to verify.

  2. Verify individual API Connect files to compare each file's signature with the fingerprint of the public key.

    To verify a file, run the following command:

    gpg --verify <file_to_verify>.asc

    For example, to verify helper_files.zip, ensure that it is stored in the same folder as the signatures file and run the following command:

    gpg --verify helper_files.zip.asc

    Example of a successful verification:

    $ gpg --verify helper_files.zip.asc
    gpg: assuming signed data in 'helper_files.zip'
    gpg: Signature made Mon 28 Sep 17:35:17 2020 PDT
    gpg:                using RSA key 39ED16345FCDEDB5D6EDE860020ED6B5DBE65F3B
    gpg: Good signature from "APIConnect <psirt@us.ibm.com>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 39ED 1634 5FCD EDB5 D6ED  E860 020E D6B5 DBE6 5F3B

    Example of a failed verification:

    gpg: assuming signed data in 'helper_files.zip'
    gpg: Signature made Tue 11 Jul 2023 09:28:02 PM PDT
    gpg:                using RSA key 39ED16345FCDEDB5D6EDE860020ED6B5DBE65F3B
    gpg: BAD signature from "APIConnect <psirt@us.ibm.com>" [unknown]