Verifying signature of IBM Storage Archive Enterprise Edition packages

Edit online

How to verify IBM Storage Archive Enterprise Edition package are signed by IBM.

Starting from 1.3.3.0, IBM Storage Archive Enterprise Edition packages are signed with a GPG (GNU Privacy Guard) key by IBM®. The public key is located in a file that is called StorageArchive_public_key.pgp, and this file is present in the IBM StorageArchive Enterprise Edition installation images, or it is separately available from IBM Fix Central.
Note: HSM component is signed by a different public key.

IBM Storage Archive Enterprise Edition packages are installed by the ltfsee_install command. The ltfsee_install command imports the public key into the RPM database automatically at installation or upgrade and no additional steps are required.

If you want to manually verify that the packages are signed by IBM, do the following steps:
  1. Confirm that the public key is imported into the RPM database.
    rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE} %{INSTALLTIME:date} %{SUMMARY}\n' |grep "IBM CISO RPM"
  2. Check the package's signature.
    rpm -K PackageName
You can check the signature of more than one package by using wildcard characters. For example, 
rpm -K *.rpm.