Verifying WebSphere Application Server release packages

Verify the authenticity and integrity of a WebSphere® Application Server release package by using the signature files and the corresponding public key. These signature files are produced for every package of a WebSphere Application Server release.

IBM® uses its private key to digitally sign each WebSphere Application Server release. You can use the WebSphere Application Server public key to check the signature, verify that the package was released by IBM Fix Central, and that it was not modified since its release.

[8.5.5.25 or later] In version 8.5.5.25 and later, you can also verify the authenticity of the WebSphere Application Server public key by using a certificate (.cer) file.

Before you begin

Before you can verify a WebSphere Application Server release package, you must download a release archive file, the corresponding signature (.sig) file, and the WebSphere Application Server public key file. The following table describes the resources that you need to verify a WebSphere Application Server release package and where to find them.

Table 1. Release verification resources
Resource	Description	Source
WebSphere Application Server release package	A release package can be one of the following resources: A release archive file An IBM Installation Manager repository	Obtain your release package from one of the following sources: IBM Passport Advantage Online Passport Advantage customers can download the initial release of the product parts and a corresponding `.sig` file from Passport Advantage Online. IBM Fix Central IBM Fix Central contains all fix packs and interim fixes for the product and corresponding `.sig` files for each release.
Signature (`.sig`) file	IBM provides a signature file for each release package. You can use this file together with the WebSphere Application Server public key to verify the digital signature of the package.	Your signature file is available from the same source that you download your release package from, either Passport Advantage or IBM Fix Central.
WebSphere Application Server public key	For versions before 8.5.5.25, the public key is a .pem file that corresponds to the WebSphere Application Server private key that is used to sign each release package. In version 8.5.5.25 and later, the public key is embedded in a .cer file that corresponds to the WebSphere Application Server private key that is used to sign each release package. You can use the .cer file to verify the authenticity of the WebSphere Application Server public key.	For versions before 8.5.5.25, obtain the WebSphere Application Server public key file as a .pem file from one of the following sources: IBM Fix Central customers can use the Public Key link in the release package details on the IBM Fix Central page. Passport Advantage customers can use this link. Save the public key from your browser as a .pem file. In version 8.5.5.25 and later, obtain the WebSphere Application Server public key file as a .cer file from one of the following sources: IBM Fix Central customers can use the Certificate File link in the package details on the IBM Fix Central page. Passport Advantage customers can use this link. Save the WebSphere Application Server public key from your browser as a .cer file.

About this task

[8.5.5.25 or later] In the following task, steps 1 and 2 apply only to WebSphere Application Server 8.5.5.25 and later releases. In these releases, the WebSphere Application Server public key is embedded in a .cer file. You can use this file to verify the authenticity of the WebSphere Application Server public key before you extract it to a new .pem file, which you use to verify the release package.

In versions before 8.5.5.25, the WebSphere Application Server public key is available only as a .pem file. To verify a release package for these versions, skip to step 3.

In the following examples, replace the WebSphere_certificate and WebSphere_release_package variables with the public key and release package files that you are using to verify a release package.

Procedure

Verify the authenticity of the WebSphere Application Server public key.

The WebSphere Application Server public key is embedded in a .cer file. Before you extract the WebSphere Application Server , you can verify that it was produced by IBM. Run the following OpenSSL command from the directory that contains the .cer file.

openssl x509 -text -in WebSphere_certificate.pem.cer

If the verification succeeds, the console displays output that is similar to the following example:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            05:27:40:1b:0d:4a:60:3a:ac:61:e0:d7:20:0d:77:ed
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = "DigiCert, Inc.", CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
        Validity
            Not Before: Jan 13 00:00:00 2023 GMT
            Not After : Jun 26 23:59:59 2024 GMT
        Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM CCSS, CN = International Business Machines Corporation
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
...

-----END CERTIFICATE-----

Extract the WebSphere Application Server public key from the .cer file as a .pem file.
The WebSphere Application Server public key is embedded in the .cer file. To extract the key to a new .pem file, run the following command from the directory that contains the .cer file:
```
openssl x509 -inform PEM -in WebSphere_certificate.pem.cer -pubkey -noout > WebSphere_certificate.pem
```
This command creates a WebSphere_certificate.pem file in the working directory. You can now use this file to verify the release package.
Navigate to the directory that contains the release package, the corresponding .sig file, and the .pem file. Run the following command to verify the release package:
```
openssl dgst -sha256 -verify WebSphere_certificate.pem -signature WebSphere_release_package.zip.sig WebSphere_release_package.zip
```

Results

If the verification is successful, the command produces the following console output:

Verified OK