Verify the RPM or DEB package signature
Validating the signed CCA Linux® on IBM® Z RPM or DEB files is a recommended action and can be done any time even after the certificate expires.
The subsequent instructions show how to verify the signature on an RPM or DEB package.
Public certificate files
The public key certificate files can be obtained at:
https://public.dhe.ibm.com/security/cryptocards/pciecc5/CCA/Z/
Additionally, CertKeyAlias is a placeholder for the true name of the certificates: PRD0000861key.
- CertKeyAlias.pub.asc (PRD000861key.pub.asc)
- This is the public key file from IBM that is used to validate the RPM. It is in the form of a certificate that can be validated against a Certificate Authority. GPG can be used to show the contents of the public key file.
- CertKeyAlias.pem.cer (PRD000861key.pem.cer)
- This public key file is required for validation with OpenSSL to show the certificate is owned by IBM.
- CertKeyAlias.pem.chain (PRD000861key.pem.chain)
- This public key file verifies that the certificate is active by means of using OCSP verification. The verification must be done during the certificate validity period. Once the certificate expires, it will not verify that the certificate is valid.
Validate the signed RPM
Validate the signed RPM and certificate using the commands shown in this section.
These commands and instructions use general names for the public key certificate and the RPM files that will be verified. These names resolve to the real names of the public key files provided in the IBM release.
# Register the public key in the RPM trusted store @ IBM and Customer.
# There is no output from a correctly working rpm --import command,
# if a public key is imported.
rpm --import <CertKeyAlias.pub.asc>
#Verify the rpm signature both IBM and Customer
rpm -Kv csulcca-8.2.51-03.s390x.rpm
Example command and output of rpm -Kv
rpm -Kv csulcca-8.2.51-03.s390x.rpm csulcca-8.2.51-03.s390x.rpm: Header V4 RSA/SHA256 Signature, key ID 6a27e37a: OK Header SHA1 digest: OK V4 RSA/SHA256 Signature, key ID 6a27e37a: OK MD5 digest: OK
You can additionally validate the RPM with the certificate authority directly and check that the certificate contains the public key using the following commands:
#This shows that the certificate is owned by IBM.
openssl x509 -inform pem -in <CertKeyAlias.pem.cer> -noout -text
#GPG shows the content of the public key file.
gpg -v --list-packets <CertKeyAlias.pub.asc>
Compare the exponent or data of the public key and the certificate to see that the public key is indeed the one within the certificate. This exponent or data can be compared on Red Hat Enterprise Linux 8, but the certificate can be validated on any operating system with OpenSSL.
How to check if the certificate is not expired for a RHEL package:
You can check if the certificate is active by using the following command. This OCSP verification must be done during the certificate validity period. Once the certificate expires, there will be no message: Response verify OK.
openssl ocsp -no_nonce -issuer <CertKeyAlias.pem.chain> -cert <CertKeyAlias.pem.cer>
-VAfile <CertKeyAlias.pem.chain>
-text -url http://ocsp.digicert.com -respout ocsptest
Response verify OK
You can check if a certificate is valid by using the following OpenSSL command:
#This shows that the certificate is owned by IBM.
openssl x509 -inform pem -in <CertKeyAlias.pem.cer> -noout -text
Check the validity section for the dates of use. An example of the section you want to check is:
Validity
Not Before: May 21 00:00:00 2024 GMT
Not After : May 21 23:59:59 2026 GMT
Validate the signed DEB
Use the following commands:
## To import the .pub.asc to the local server.
gpg --import CertKeyAlias.pub.asc
## To verify the .deb
dpkg-sig --verify csulcca-8.2.51-03.s390x.deb
GOODSIG _gpgbuilder 35AE962D839CDF96C3EF1233DA928791238156D3 1669660775
## Shows GOODSIG if public key is imported.
GOODSIG _gpgbuilder0 35AE962D839CDF96C3EF1233DA928791238156D31669670436
## Shows UNKNOWNSIG if public key is not imported.
UNKNOWNSIG _gpgbuilder 238156D3
UNKNOWNSIG _gpgbuilder0 238156D3
Debian can be validated with the public keys, and the public keys can be compared with the certificate exponent or data using the following commands:
# Since <CertKeyAlias>.pub.asc is armored, we need to dearmor it.
gpg --dearmor <CertKeyAlias>.pub.asc
# This gives us: <CertKeyAlias>.pub.asc.gpg
gpg -v --list-packets <CertKeyAlias>.pub.asc.gpg
#This shows that the certificate is owned by IBM.
openssl x509 -inform pem -in <CertKeyAlias>.pem.cer -noout -text
Compare the exponent or data of the public key and the certificate to see that the public key is indeed the one within the certificate. This exponent or data can be compared on Ubuntu 16 or later, but the certificate can be validated on any operating system with OpenSSL.
How to check if the certificate is not expired for a Deb package
You can check if the certificate is active by using the following command. This OCSP verification must be done during the certificate validity period. Once the certificate expires, there will be no message: Response verify OK.
openssl ocsp -no_nonce -issuer <CertKeyAlias.pem.chain> -cert <CertKeyAlias.pem.cer>
-VAfile <CertKeyAlias.pem.chain>
-text -url http://ocsp.digicert.com -respout ocsptest
Response verify OK
You can check if a certificate is valid by using the OpenSSL command below:
#This shows that the certificate is owned by IBM.
- openssl x509 -inform pem -in <CertKeyAlias.pem.cer> -noout -text
Check the validity section for the dates of use. An example of the section you want to check is:
Validity
Not Before: May 21 00:00:00 2024 GMT
Not After : May 21 23:59:59 2026 GMT