Verifying the RPM installation package

Verify the integrity of the RPM installation package.

First, use the preinstalled sha256sum checksum tool to verify that the checksum for the RPM file matches the checksum that is provided in the Release Notes.

  1. Go to the Release Notes for the release or fix pack that you are installing. Get the checksum value.
  2. Log in as root on the console.
  3. Run the sha256sum checksum tool:
    sha256sum ibm-safer-payments-6_7_x_x.x86_64.rpm 
  4. Verify that the tool's output is the same as the checksum that is given in the Release Notes.

Next, use OpenSSL to verify that the RPM installation package has been signed by IBM. Optionally, verify the certificate and public key.

  1. Verify the digital signatures of the signature file, public key, and RPM.
    openssl dgst -sha256 -verify SP-signing.pem.pub.key -signature ibm-safer-payments-6_7_x_x.x86_64.rpm.raw.sig ibm-safer-payments-6_7_x_x.x86_64.rpm
  2. The output should be:
    Verified OK
  3. Verify that the public key comes from the provided certificate (optional).
    1. Extract the public key from the certificate:
      openssl x509 -noout -pubkey -in SP-signing.pem.cer
    2. Compare to the content of:
      cat SP-signing.pem.pub.key
  4. Verify the signing certificate (optional).
    1. Verify the certificate that was used to sign the software:
      openssl x509 -inform pem -in SP-signing.pem.cer -noout -subject -issuer -startdate -enddate
    2. The output should be:
      subject=C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM CCSS, CN = International Business Machines Corporation
      issuer=C = US, O = "DigiCert, Inc.", CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
      notBefore=Jan 24 00:00:00 2023 GMT
      notAfter=Oct 9 23:59:59 2024 GMT
    3. Verify that the certificate has not been revoked:
      openssl ocsp -no_nonce -issuer SP-signing.pem.chain -cert SP-signing.pem.cer -VAfile SP-signing.pem.chain -text -url http://ocsp.digicert.com