Verifying Liberty release packages
Verify the authenticity and integrity of a Liberty release package by using the signature files and the corresponding public key. These signature files are produced for every package of a Liberty release.
Signature files are available for Liberty releases in version 22.214.171.124 and later. IBM® uses its private key to digitally sign each Liberty release. You can use the Liberty public key to check the signature, verify that the package was released by IBM Fix Central, and that it was not modified since its release.
For information about verifying Liberty packages on Maven Central, see Verify Liberty packages on Maven Central on the Open Liberty website.
Before you begin
.sig) file, and the Liberty public key file from IBM Fix Central. Signature files are not available for use with IBM Installation Manager.
Obtain the Liberty public key file
by using the Public Key link in your package details on the IBM Fix Central
page. You can also obtain the key from the public key link in the Download package section of
the Get Started page on the Open Liberty website. Save the public key file from your browser
.sigfile, and the public key file, and run the following OpenSSL command from the command line to verify the release package.
openssl dgst -sha256 -verify WebSphereLiberty_02-13-2023.pem -signature wlp-kernel-126.96.36.199.zip.sig wlp-kernel-188.8.131.52.zip
This example uses the
WebSphereLiberty_02-13-2023.pem public key file and the
wlp-kernel-184.108.40.206.zip.sig signature file to verify the
wlp-kernel-220.127.116.11.zip release package. Replace the signature file and package
version values according to the package that you want to verify.