Code signing Db2 images on and after February 28th, 2023

Code signing is the process of digitally signing files to assure users that the software does what it says it does. It acts as proof that the file has not been corrupted.

Before you begin

Note: Db2 11.5 images posted on Fix Central before February 28th, 2023 can be signed using deprecated code signing software. This software uses different commands for verification and should be used when the signature file and public key do not contain the key word cosign, For more information, see Code signing Db2 packages released before February 28th, 2023.

About this task

To verify your Db2 install image, three files are required from Fix Central:
  • The install image.
  • The signature file.
  • The public key.
The following code block shows the files needed after February 28th, 2023, which includes the public key publicKey.cosign.pem:
v11.5.8_linuxx64_server_dec.tar.gz          (install image)
v11.5.8_linuxx64_server_dec.tar.gz.cosign.sig   (signature file)
publicKey.cosign.pem                            (public key)
Once these files are located, the signature can be verified in two steps with openssl. To verify that openssl is installed, run which openssl from your Linux terminal. To download openssl, go to https://www.openssl.org/.
Note: openssl is an open source tool that is included with most Linux OS distributions. There is no specific version requirement for it.

Procedure

  1. Decode the signature file: 
    openssl enc -d -A -base64 -in <Signature File> -out <Decoded Signature File>
  2. Verify the Db2 install image: 
    openssl dgst -verify <public key> -keyform PEM -sha256 -signature <Decoded Signature File> -binary <Install
Image>
    The command returns either Verified OK, which indicates that the image is safe to use, or Verification Failure. If a verification failure is returned, contact IBM.
    Note: openssl is an open source tool that is included with most Linux OS distributions. There is no specific version requirement for it.

Example

The following example shows the command syntax for decoding the signature file v11.5.8_linuxx64_server_dec.tar.gz.cosign.dig:

openssl enc -d -A -base64 -in v11.5.8_linuxx64_server_dec.tar.gz.cosign.sig -out
v11.5.8_linuxx64_server_dec.tar.gz.cosign_decode.sig

The following example shows the command syntax for verifying the install image v11.5.8_linuxx64_server_dec.tar.gz, the signature file v11.5.8_linuxx64_server_dec.tar.gz.cosign_decode.sig, and the public key publicKey.cosign.pem:
openssl dgst -verify publicKey.cosign.pem -keyform PEM -sha256 -signature
v11.5.8_linuxx64_server_dec.tar.gz.cosign_decode.sig -binary v11.5.8_linuxx64_server_dec.tar.gz