Verifying Liberty release packages

Verify the authenticity and integrity of a Liberty release package by using the signature files and the corresponding public key. These signature files are produced for every package of a Liberty release.

Signature files are available for Liberty releases in version 22.0.0.1 and later. IBM® uses its private key to digitally sign each Liberty release. You can use the Liberty public key to check the signature, verify that the package was released by IBM Fix Central, and that it was not modified since its release.

For information about verifying Liberty packages on Maven Central, see Verify Liberty packages on Maven Central on the Open Liberty website.

Before you begin

Before you can verify a Liberty release package, you must download a release archive file, the corresponding signature (.sig) file, and the Liberty public key file from IBM Fix Central. Signature files are not available for use with IBM Installation Manager.

Obtain the Liberty public key file by using the Public Key link in your package details on the IBM Fix Central page. You can also obtain the key from the public key link in the Download package section of the Get Started page on the Open Liberty website. Save the public key file from your browser as a .pem file.

Procedure

Navigate to the directory that contains the release archive file, the corresponding .sig file, and the public key file, and run the following OpenSSL command from the command line to verify the release package.

openssl dgst -sha256 -verify WebSphereLiberty_02-13-2023.pem -signature wlp-kernel-23.0.0.2.zip.sig wlp-kernel-23.0.0.2.zip

This example uses the WebSphereLiberty_02-13-2023.pem public key file and the wlp-kernel-23.0.0.2.zip.sig signature file to verify the wlp-kernel-23.0.0.2.zip release package. Replace the signature file and package version values according to the package that you want to verify.

Results

If the verification is successful, the command produces the following console output.

Verified OK