Installation package verification
The IBM® Installation Manager installation packages are signed so that you can confirm the validity of the package. You can verify that the package is really from IBM and that it does not differ from the signed package.
The package that you want to install can be verified by using the Java™ jarsigner tool. This tool is part of the Java developer kit and is not included in the Java Runtime Environment (JRE) that is provided. For more information about the jarsigner tool, see the Java documentation.
For example, you can use the Java developer kit that comes with
WebSphere® Application Server to run the tool to verify the installation packages. The following example shows the
command syntax to use to verify a package:
WebSphereApplicationServer_install_directory\java\bin\jarsigner -verify -verbose -certs <Installation package .zip file name>
To verify the package, use the messages that are output by the tool. Ensure that the signer certificate is from IBM and is signed by a trusted authority. Also, look for a JAR verified message near the end of the output.
The following example shows output from verifying the Digital Payments installation package. The primary messages to use to verify the package are shown in
bold.
sm 8012 Wed Jun 17 00:14:24 EDT 2020 silent/ftmDP_install.rsp
[entry was signed on 6/17/20, 12:41 AM]
>>> Signer
X.509, CN=International Business Machines Corporation, OU=IBM CCSS, O=International Business Machines Corporation, L=Armonk, ST=New York, C=US
[certificate is valid from 6/11/20, 8:00 PM to 6/16/22, 8:00 AM]
X.509, CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
[certificate is valid from 10/22/13, 8:00 AM to 10/22/28, 8:00 AM]
X.509, CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
[trusted certificate]
>>> TSA
X.509, CN=TIMESTAMP-SHA256-2019-10-15, O="DigiCert, Inc.", C=US
[certificate is valid from 9/30/19, 8:00 PM to 10/16/30, 8:00 PM]
X.509, CN=DigiCert SHA2 Assured ID Timestamping CA, OU=www.digicert.com, O=DigiCert Inc, C=US
[certificate is valid from 1/7/16, 7:00 AM to 1/7/31, 7:00 AM]
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
- Signed by "CN=International Business Machines Corporation, OU=IBM CCSS, O=International Business Machines Corporation, L=Armonk, ST=New York, C=US"
Digest algorithm: SHA-256
Signature algorithm: SHA256withRSA, 2048-bit key
Timestamped by "CN=TIMESTAMP-SHA256-2019-10-15, O="DigiCert, Inc.", C=US" on Wed Jun 17 04:41:59 UTC 2020
Timestamp digest algorithm: SHA-256
Timestamp signature algorithm: SHA256withRSA, 2048-bit key
jar verified.
The signer certificate will expire on 2022-06-16.
The timestamp will expire on 2030-10-16.
================== End of File ==================