Verify digital signatures

To verify that your IBM Passport Advantage software download is valid and has been signed by IBM, follow these steps.

About this task

Each package for Passport Advantage contains:
  • Signed RPM package
  • Leaf certificate
  • Certificate chain
  • Public key
  • GPG public key
You use the GPG public key to verify the digital signatures.
Table 1. Example part downloaded from Passport Advantage
Name Description
nasm-inventory-2.12.0-22.x86_64.rpm Signed RPM package
PRD0003610key.pem.cer Leaf certificate
PRD0003610key.pem.chain Certificate chain
PRD0003610key.pem.pub.key Public key
PRD0003610key.pub.asc GPG public key

Procedure

  1. Add the GPG public key to the rpm database.
    In the following example, the public key obtained as part of the download package is 'PRD0003610key.pub.asc'.
    sudo rpm --import PRD0003610key.pub.asc
  2. Examine the IBM Netcool ASM Signing Key.
    Use the following example command:
    rpm -qi gpg-pubkey-687351a9-64011942
    Example system output:
    Name        : gpg-pubkey
Version     : 687351a9
Release     : 64011942
Architecture: (none)
Install Date: Mon 13 Mar 2023 16:28:51 GMT
Group       : Public Keys
Size        : 0
License     : pubkey
Signature   : (none)
Source RPM  : (none)
Build Date  : Thu 02 Mar 2023 21:46:42 GMT
Build Host  : localhost
Relocations : (not relocatable)
Packager    : IBM Netcool ASM Signing Key <psirt@us.ibm.com>
Summary     : gpg(IBM Netcool ASM Signing Key <psirt@us.ibm.com>)
  3. Verify the signed RPM package. 
    rpm --checksig nasm-inventory-2.12.0-22.x86_64.rpm
    Output:
    nasm-inventory-2.12.0-22.x86_64.rpm: digests signatures OK