Verifying the RPM installation package
Verify the integrity of the RPM installation package.
First, use the preinstalled sha256sum
checksum tool to verify that the checksum
for the RPM file matches the checksum that is provided in the Release Notes.
- Go to the Release Notes for the release or fix pack that you are installing. Get the checksum value.
- Log in as root on the console.
- Run the
sha256sum
checksum tool:sha256sum ibm-safer-payments-6_7_x_x.x86_64.rpm
- Verify that the tool's output is the same as the checksum that is given in the Release Notes.
Next, use OpenSSL to verify that the RPM installation package has been signed by IBM. Optionally, verify the certificate and public key.
- Verify the digital signatures of the signature file, public key, and RPM.
openssl dgst -sha256 -verify SP-signing.pem.pub.key -signature ibm-safer-payments-6_7_x_x.x86_64.rpm.raw.sig ibm-safer-payments-6_7_x_x.x86_64.rpm
- The output should be:
Verified OK
- Verify that the public key comes from the provided certificate (optional).
- Extract the public key from the
certificate:
openssl x509 -noout -pubkey -in SP-signing.pem.cer
- Compare to the content of:
cat SP-signing.pem.pub.key
- Extract the public key from the
certificate:
- Verify the signing certificate (optional).
- Verify the certificate that was used to sign the
software:
openssl x509 -inform pem -in SP-signing.pem.cer -noout -subject -issuer -startdate -enddate
- The output should be:
subject=C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM CCSS, CN = International Business Machines Corporation
issuer=C = US, O = "DigiCert, Inc.", CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
notBefore=Jan 24 00:00:00 2023 GMT
notAfter=Oct 9 23:59:59 2024 GMT
- Verify that the certificate has not been
revoked:
openssl ocsp -no_nonce -issuer SP-signing.pem.chain -cert SP-signing.pem.cer -VAfile SP-signing.pem.chain -text -url http://ocsp.digicert.com
- Verify the certificate that was used to sign the
software: