[MQ 9.3.0 Jun 2022]

IBM MQ code signatures

From IBM® MQ 9.3.0, downloadable .zip, and .tar.gz files are signed. Installable .rpm and .deb files are also signed. Where possible the signature is embedded in the file. For file formats that do not allow this, a separate .sig file is made available containing the signatures and the public keys to verify them.

IBM MQ public certificates, checksums, and .sig files are available from https://ibm.biz/mq93signatures.

*.zip files

IBM MQ deliverables in .zip file form contain an embedded digital signature that can be verified by using a recent Java™ Development Kit (JDK) as shown in the following example:
jarsigner -certs -verify 9.2.4.0-IBM-MQC-Redist-Java.zip
	jar verified.
Note: More details, including the signer, can be found by running with the verbose option.

*.tar.gz files

IBM MQ deliverables in *.tar.gz file form are signed by IBM MQ and their digital signatures are provided in the extra downloadable package. To verify a file's signature, use openssl as shown in the following example for 9.2.4.0-IBM-MQC-Redist-LinuxX64.tar.gz:
openssl dgst -sha256 -verify ibm_mq_public.pem -signature 9.2.4.0-IBM-MQC-Redist-LinuxX64.tar.gz.sig 9.2.4.0-IBM-MQC-Redist-LinuxX64.tar.gz
Verified OK 

*.rpm

The IBM-provided RPMs are signed with a digital signature, and systems will not recognize the signing key without it being authorized. Obtain the IBM MQ public signing gpg key from the extra downloadable package and install it into rpm. This only needs to be done once per system.
rpm --import ibm_mq_public.pgp
The validity of any of the IBM MQ RPMs can then be verified, for example:
# rpm -Kv MQSeriesRuntime-9.2.4-0.x86_64.rpm
MQSeriesRuntime-9.2.4-0.x86_64.rpm:
    Header V3 RSA/SHA256 Signature, key ID 0209b828: OK
    Header SHA1 digest: OK
    V3 RSA/SHA256 Signature, key ID 0209b828: OK
    MD5 digest: OK
Note: If you skip this step, then a harmless warning might be issued during RPM installation to indicate there is a signature but the system does not recognize the signing key, for example:
warning: MQSeriesRuntime-9.2.4-0.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 0209b828: NOKEY

*.deb

The IBM provided debian type packages are signed with an embedded digital signature. To verify a package you will need the IBM MQ public signing gpg key from the additional package, and the “debsigs” operating system package installed.
  1. Import the gpg key and identify its gpg key value:
    # gpg --import ibm_mq_public.pgp
    gpg: keybox '/root/.gnupg/pubring.kbx' created
    gpg: /root/.gnupg/trustdb.gpg: trustdb created
    gpg: key D2D53B4E0209B828: public key "IBM MQ signing key <psirt@us.ibm.com>" imported
    gpg: Total number processed: 1
    gpg:               imported: 1
    

    From this, the key value would be D2D53B4E0209B828 and the certificate alias would be “IBM MQ signing key <psirt@us.ibm.com>”. The following instructions use those values – replace them with the ones calculated from your import.

  2. Export the certificate alias into the system keyrings:
    mkdir /usr/share/debsig/keyrings/D2D53B4E0209B828/
    cd /usr/share/debsig/keyrings/D2D53B4E0209B828/
    gpg --output IBMMQ.bin --export "IBM MQ signing key <psirt@us.ibm.com>"
    
  3. Set up the system to enable a signing policy for this key:
    mkdir /etc/debsig/policies/D2D53B4E0209B828/
    cd /etc/debsig/policies/D2D53B4E0209B828/
    
    Create a file called IBM-MQ.pol in this directory with the following contents. Note that only the ‘id’ fields need changing to the key value from step 1.
    <?xml version="1.0"?>
    <!DOCTYPE Policy SYSTEM "https://www.debian.org/debsig/1.0/policy.dtd">
    <Policy xmlns="https://www.debian.org/debsig/1.0/">
      <Origin Name="IBM MQ signing key" id="D2D53B4E0209B828" Description="IBM MQ signing key"/>
      <Selection>
        <Required Type="origin" File="IBMMQ.bin" id="D2D53B4E0209B828"/>
      </Selection>
      <Verification MinOptional="0">
        <Required Type="origin" File="IBMMQ.bin" id="D2D53B4E0209B828"/>
      </Verification>
    </Policy>
    
  4. Validate packages individually using the debsig-verify utility:
    # debsig-verify ibmmq-runtime_9.2.4.0_amd64.deb
    debsig: Verified package from 'IBM MQ signing key' (IBM MQ signing key)
    
Note: Whilst it is possible to configure dpkg to verify signatures during installation, this is not advisable as it will cause dpkg to reject the installation of unsigned Debian files.