Verify the RPM or DEB package signature

Validating the signed CCA Linux® on IBM® Z RPM or DEB files is a recommended action and can be done any time even after the certificate expires.

The subsequent instructions show how to verify the signature on an RPM or DEB package.

Note: These commands will work even after the certificate is expired. This does not provide any security for certificates that have been revoked due to possible compromise. Therefore, you should check the live IBM site for the public certificate files to ensure you are relying on the active certificates.

Public certificate files

The public key certificate files can be obtained at:

https://public.dhe.ibm.com/security/cryptocards/pciecc5/CCA/Z/

Additionally, CertKeyAlias is a placeholder for the true name of the certificates: PRD0000861key.

CertKeyAlias.pub.asc (PRD000861key.pub.asc)
This is the public key file from IBM that is used to validate the RPM. It is in the form of a certificate that can be validated against a Certificate Authority. GPG can be used to show the contents of the public key file.
CertKeyAlias.pem.cer (PRD000861key.pem.cer)
This public key file is required for validation with OpenSSL to show the certificate is owned by IBM.
CertKeyAlias.pem.chain (PRD000861key.pem.chain)
This public key file verifies that the certificate is active by means of using OCSP verification. The verification must be done during the certificate validity period. Once the certificate expires, it will not verify that the certificate is valid.

Validate the signed RPM

Validate the signed RPM and certificate using the commands shown in this section.

These commands and instructions use general names for the public key certificate and the RPM files that will be verified. These names resolve to the real names of the public key files provided in the IBM release.

# Register the public key in the RPM trusted store @ IBM and Customer. 
# There is no output from a correctly working rpm --import command, 
# if a public key is imported.

rpm --import <CertKeyAlias.pub.asc>

#Verify the rpm signature both IBM and Customer
    
rpm -Kv csulcca-8.2.51-03.s390x.rpm                                

Example command and output of rpm -Kv

rpm -Kv csulcca-8.2.51-03.s390x.rpm

csulcca-8.2.51-03.s390x.rpm:
Header V4 RSA/SHA256 Signature, key ID 6a27e37a: OK
Header SHA1 digest: OK
V4 RSA/SHA256 Signature, key ID 6a27e37a: OK
MD5 digest: OK

You can additionally validate the RPM with the certificate authority directly and check that the certificate contains the public key using the following commands:


#This shows that the certificate is owned by IBM. 
openssl x509 -inform pem -in <CertKeyAlias.pem.cer> -noout -text   

#GPG shows the content of the public key file.                            
gpg -v --list-packets <CertKeyAlias.pub.asc>  

Compare the exponent or data of the public key and the certificate to see that the public key is indeed the one within the certificate. This exponent or data can be compared on Red Hat Enterprise Linux 8, but the certificate can be validated on any operating system with OpenSSL.

How to check if the certificate is not expired for a RHEL package:

You can check if the certificate is active by using the following command. This OCSP verification must be done during the certificate validity period. Once the certificate expires, there will be no message: Response verify OK.

openssl ocsp -no_nonce -issuer <CertKeyAlias.pem.chain> -cert <CertKeyAlias.pem.cer> 
             -VAfile <CertKeyAlias.pem.chain>  
             -text -url http://ocsp.digicert.com -respout ocsptest

Response verify OK  

You can check if a certificate is valid by using the following OpenSSL command:


#This shows that the certificate is owned by IBM.
openssl x509 -inform pem -in <CertKeyAlias.pem.cer> -noout -text   

Check the validity section for the dates of use. An example of the section you want to check is:

Validity
         Not Before: May 21 00:00:00 2024 GMT
         Not After : May 21 23:59:59 2026 GMT

Validate the signed DEB

Use the following commands:


## To import the .pub.asc to the local server. 
gpg --import CertKeyAlias.pub.asc 

## To verify the .deb 
dpkg-sig --verify csulcca-8.2.51-03.s390x.deb
GOODSIG _gpgbuilder 35AE962D839CDF96C3EF1233DA928791238156D3 1669660775

## Shows GOODSIG if public key is imported.
GOODSIG _gpgbuilder0 35AE962D839CDF96C3EF1233DA928791238156D31669670436 

## Shows UNKNOWNSIG if public key is not imported.
UNKNOWNSIG _gpgbuilder 238156D3
UNKNOWNSIG _gpgbuilder0 238156D3
Note: Starting with Ubuntu version 24.04, the dpkg-sig command is no longer available, and since the CCA 8.2 DEB package uses dpkg-sig for signing, only Ubuntu versions up to 22.04 are supported, while the commands debsigs and debsig-verify remain available for verification.

Debian can be validated with the public keys, and the public keys can be compared with the certificate exponent or data using the following commands:


# Since <CertKeyAlias>.pub.asc is armored, we need to dearmor it. 
gpg --dearmor <CertKeyAlias>.pub.asc 
         
# This gives us: <CertKeyAlias>.pub.asc.gpg 
gpg -v --list-packets <CertKeyAlias>.pub.asc.gpg 

#This shows that the certificate is owned by IBM.
openssl x509 -inform pem -in <CertKeyAlias>.pem.cer -noout -text

Compare the exponent or data of the public key and the certificate to see that the public key is indeed the one within the certificate. This exponent or data can be compared on Ubuntu 16 or later, but the certificate can be validated on any operating system with OpenSSL.

How to check if the certificate is not expired for a Deb package

You can check if the certificate is active by using the following command. This OCSP verification must be done during the certificate validity period. Once the certificate expires, there will be no message: Response verify OK.

openssl ocsp -no_nonce -issuer <CertKeyAlias.pem.chain> -cert <CertKeyAlias.pem.cer> 
             -VAfile <CertKeyAlias.pem.chain> 
             -text -url http://ocsp.digicert.com -respout ocsptest

Response verify OK  

You can check if a certificate is valid by using the OpenSSL command below:


#This shows that the certificate is owned by IBM.
- openssl x509 -inform pem -in <CertKeyAlias.pem.cer> -noout -text   

Check the validity section for the dates of use. An example of the section you want to check is:

Validity
         Not Before: May 21 00:00:00 2024 GMT
         Not After : May 21 23:59:59 2026 GMT