Code signing Db2 images released before February 28th, 2023

Code signing is the process of digitally signing files to assure users that the Db2 software performs as intended. It acts as proof that the file has not been tampered with or corrupted.

Before you begin

Note: As of February 28th, 2023, the code signing software that is used in this procedure is now deprecated. Db2 11.5 images on Fix Central that were posted before this date can still be signed using the deprecated code signing software. For code signing Db2 11.5.8 and later versions, see Code signing Db2 images on and after February 28th, 2023.

About this task

To verify your Db2 install image, three files are required from Fix Central:
  • The install image.
  • The signature file.
  • The public key.

The following code block shows the files needed before February 28th, 2023, which includes the public key publicKey.pem:

v11.5.7_linuxx64_server_dec.tar.gz         (install image)
v11.5.7_linuxx64_server_dec.tar.gz.sig     (signature file)
publicKey.pem                              (public key)
Once these files are located, the signature can be verified in two steps with openssl. To verify that openssl is installed, run which openssl from your Linux terminal. To download openssl, go to https://www.openssl.org/.
Note: openssl is an open source tool that is included with most Linux OS distributions. There is no specific version requirement for it.

Procedure

  1. Run the following command to verify the install image, the signature file and the public key:
    openssl dgst -sha256 -verify <Public Key> -signature <Signature File> <Install Image>
    The command returns either Verified OK, which indicates that the image is safe to use, or Verification Failure.
  2. If a verification failure is returned, contact IBM.

Example

The following example shows the command syntax for verifying the install image v11.5.7_linuxx64_server_dec.tar.gz, the signature file v11.5.7_linuxx64_server_dec.tar.gz.sig, and the public key publicKey.pem:
openssl dgst -sha256 -verify publicKey.pem -signature v11.5.7_linuxx64_server_dec.tar.gz.sig  v11.5.7_linuxx64_server_dec.tar.gz