[22.0.0.1 and later]

Verifying Liberty release packages

Verify the authenticity and integrity of a Liberty release package by using the signature files and the corresponding public key. These signature files are produced for every package of a Liberty release.

Signature files are available for Liberty releases in version 22.0.0.1 and later. IBM® uses its private key to digitally sign each Liberty release. You can use the Liberty public key to check the signature, verify that the package was released by IBM Fix Central, and that it was not modified since its release.

Open LibertyFor information about verifying Liberty packages on Maven Central, see Verify Liberty packages on Maven Central on the Open Liberty website.

Before you begin

Before you can verify a Liberty release package, you must download a release archive file, the corresponding signature (.sig) file, and the Liberty public key file from IBM Fix Central. Signature files are not available for use with IBM Installation Manager.

Obtain the Liberty public key file by using the Public Key link in your package details on the IBM Fix Central page. You can also obtain the key from the public key link in the Download package section of the Get Started page on the Open Liberty website. Save the public key file from your browser as a .pem file.

For z/OS platformsNote: On z/OS systems, you might need to tag the package file that you want to verify as an ASCII text file for the openssl command to correctly validate the file. Before you attempt to verify the release, run the following command to tag the package file as an ASCII text file.
chtag -tc ISO8859-1  22.0.0.1-WS-LIBERTY-ZOS-FP.zip
This example uses the 22.0.0.1-WS-LIBERTY-ZOS-FP.zip release package. Replace file name value according to the archive file that you want to verify.

Procedure

Navigate to the directory that contains the release archive file, the corresponding .sig file, and the public key file, and run the following OpenSSL command from the command line to verify the release package.
openssl dgst -sha256 -verify WebSphereLiberty_06-02-2021.pem -signature 22.0.0.1-WS-LIBERTY-CORE-FP.zip.sig 22.0.0.1-WS-LIBERTY-CORE-FP.zip

This example uses the WebSphereLiberty_06-02-2021.pem public key file and the 22.0.0.1-WS-LIBERTY-CORE-FP.zip.sig signature file to verify the 22.0.0.1-WS-LIBERTY-CORE-FP.zip release package. Replace the signature file and package version values according to the package that you want to verify.

Results

If the verification is successful, the command produces the following console output.
Verified OK