IBM Support

Verifying the integrity of the IBM Business Automation Workflow installation files

How To


Summary

The files that you download and use to install IBM Business Automation Workflow are digitally signed. You can optionally verify the integrity of these files to ensure that they originated from IBM and have not been modified.

Steps

Signature validation
Code signatures enable you to verify that a downloaded file was created by IBM and that no bits in the file were changed. The process involves the following steps:
  1. Download the files, which include the IBM Business Automation Workflow signed installation files, attached signature files, and key material (certificates). The following signature files are attached are the very end of this document:
    • signatures.zip: Use this signature file if you are downloading the IBM Business Automation Workflow repository from Passport Advantage.
    • fix-central-signatures-BAW-Vxxxxx.zip: Use these signature files if you are downloading the IBM Business Automation Workflow repository from Fix Central.
  2. Validate that the certificates were issued to IBM by a trusted certificate authority.
  3. Validate that the signature in each downloaded signed file was created using a private key that matches the certificate validated in step 2.
The instructions in this document assume that OpenSSL is installed.
Step 1: Download the files
  • Signed files: <file> - The IBM Business Automation Workflow binary installation files, such as BAW_20_0_0_1_Windows_1_of_3.zip or workflow2201.delta.repository.zip.
  • Signature files: <file.sig> - The signature files for the above binary files, such as BAW_20_0_0_1_Windows_1_of_3.zip.sig or workflow2201.delta.repository.zip.sig. Note that some binary files are shipped under multiple part numbers. Because it might be easier to identify files by part number, the corresponding signature files are included in the attached files signatures.zip, fix-central-signatures-BAW-V20-0-0-1.zip, and fix-central-signatures-BAW-V20-0-0-2.zip, for example CC704ML.tar.gz.sig, BAWE_20_0_0_1_AIX_1_of_2.tar.gz.sig, CC702ML.tar.gz, and BAW_20_0_0_1_AIX_1_of_2.tar.gz.sig in the .zip archive attached at the end of this document.
  • Key material:  baw-cert.pem or baw-cert-2022.pem - The public certificate issued to IBM by a public certificate authority for the purpose of code signing.
  • Key material:  baw-public.key or baw-public-2022.key - The public key contained in the above certificate (which matches the private key used for code signing). This key is in the .zip archive attached at the end of this document.
  • Key material:  intermediate.pem or intermediate-2022.pem - The public intermediate certificate owned by IBM, which represents this offering's development organization. This certificate is in the .zip archive attached at the end of this document.
Step 2: Validate the certificate
You can validate that the public key  baw-public-2022.key is present in the certificate  baw-cert-2022.pem and that the certificate is still valid. To view the certificate details, invoke  openssl x509 -text -in baw-cert-2022.pem and inspect the response:
  • Issuer (the public CA that validated IBM's identity):  C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Assured ID Code Signing CA
  • Subject (the organization for which the certificate was issued):  C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM CCSS, CN = International Business Machines
$ openssl x509 -text -in baw-cert-2022.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            05:b1:97:d8:59:5f:24:83:ca:92:04:22:9a:4c:76:dd
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = "DigiCert, Inc.", CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
        Validity
            Not Before: Jan 30 00:00:00 2022 GMT
            Not After : Jan 30 23:59:59 2024 GMT
        Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM CCSS, CN = International Business Machines Corporation
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:a8:8a:19:f7:ea:ca:73:1f:5d:6f:a2:11:3e:68:
                    9b:5e:73:6a:e4:34:5c:c8:77:cd:bd:a1:d8:95:9e:
                    00:f7:f8:b9:1d:de:fc:6e:3c:37:83:57:cc:7f:4d:
                    ab:46:09:8e:47:26:db:27:63:2c:3b:9a:77:c3:85:
                    cd:84:9c:d7:d7:33:56:71:5f:00:18:12:8f:ab:ed:
                    65:99:b8:da:f8:2b:b8:e2:b5:82:1e:a3:ff:b0:fc:
                    b9:36:33:ea:38:d4:81:45:91:a3:f5:80:73:58:e6:
                    39:0e:14:e6:44:04:ef:30:04:12:f5:fd:f8:58:4a:
                    d8:96:eb:6c:59:6f:00:87:31:80:e6:9f:58:89:26:
                    c6:07:ec:19:94:86:c6:62:4d:b6:69:85:3f:9f:cf:
                    22:63:82:59:7b:88:4d:2b:c6:22:90:3c:71:03:4c:
                    74:24:cc:30:a8:64:50:58:8b:c4:59:bc:b0:52:f3:
                    9e:29:8c:28:92:c0:7c:41:7b:6c:eb:30:80:e1:56:
                    c4:b3:e4:71:55:05:7a:98:31:14:f0:b5:cb:42:00:
                    4d:24:8f:fa:94:e0:5d:6c:46:b8:25:7e:e1:4d:2e:
                    a7:fa:96:db:3a:13:ce:c7:19:39:a2:ec:57:5c:44:
                    ff:95:3e:a8:aa:41:d4:bf:96:28:1a:06:29:4d:ae:
                    2c:5b:06:75:d5:f7:28:53:91:be:8f:7f:d2:c0:ea:
                    e8:64:05:25:af:24:3e:f5:ea:9c:4e:fd:99:65:12:
                    a1:3b:19:80:51:43:2c:a8:d3:1c:46:76:55:0b:3d:
                    92:1f:d1:22:4d:f7:83:2d:d3:cb:ba:41:4b:fe:0f:
                    e6:5e:b2:b0:86:0b:5d:80:c1:55:6b:5a:13:e3:4a:
                    24:30:22:d6:70:f1:5e:d5:76:a2:e5:be:79:e0:e5:
                    fe:45:d0:20:aa:eb:d2:ab:b1:5d:41:fe:f6:6c:db:
                    49:25:87:1d:c1:d0:c9:af:08:d4:99:b2:1d:c3:57:
                    d7:3d:b4:2e:4b:b7:e6:42:45:49:d3:4b:ff:7a:04:
                    eb:cd:78:56:49:48:fc:0d:36:f1:e3:8f:a0:dd:79:
                    49:37:27:20:83:d3:01:23:6b:7b:6d:f4:73:6f:ab:
                    23:b0:c0:05:b4:89:72:a8:fb:43:11:ef:ea:5e:2e:
                    93:c6:bd:6c:d6:f1:3e:92:4f:76:8b:d2:ed:ba:96:
                    a7:cd:dc:89:5e:a9:42:00:06:62:26:d3:56:45:5a:
                    bf:10:73:88:de:dd:bc:8b:bb:4f:85:65:2c:45:b5:
                    d7:e8:5d:72:f1:40:b8:5b:33:38:5a:4a:37:93:10:
                    91:8d:d4:df:63:ee:86:78:1b:04:db:c6:e6:98:79:
                    dc:f9:f7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:68:37:E0:EB:B6:3B:F8:5F:11:86:FB:FE:61:7B:08:88:65:F4:4E:42

            X509v3 Subject Key Identifier:
                19:EE:DE:9B:8B:0B:2D:03:F7:07:16:E6:33:60:02:06:3D:7F:6A:C5
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                Code Signing
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl

                Full Name:
                  URI:http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl

            X509v3 Certificate Policies:
                Policy: 2.23.140.1.4.1
                  CPS: http://www.digicert.com/CPS

            Authority Information Access:
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt

            X509v3 Basic Constraints: critical
                CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption
         58:30:86:8f:20:89:93:65:e7:11:52:b0:2d:b1:a7:39:9b:ef:
         2f:e1:63:00:ef:03:d7:aa:95:3c:17:fd:b2:df:25:55:08:aa:
         5d:a8:bb:61:b5:64:17:65:4f:99:7f:e9:c7:26:f4:09:2c:25:
         c5:9d:40:3d:2c:e1:11:3f:b4:d6:7f:b3:48:c3:e6:35:fa:3d:
         01:73:f4:ee:3a:6e:33:50:b0:ee:5b:2e:d4:23:f6:57:73:9e:
         89:c5:05:88:ac:10:6b:58:ff:41:15:c8:47:aa:e5:4a:cf:f8:
         36:6b:20:42:24:4b:02:20:99:57:1e:67:9e:b3:67:b0:dd:68:
         ba:a7:8e:02:41:04:b7:21:a0:f6:a0:1f:18:2c:fa:a4:36:33:
         fd:97:2c:70:5e:0c:c5:29:4f:24:d0:2c:82:90:66:f7:f9:ee:
         ed:0e:fb:44:6a:09:5b:18:10:36:fb:61:ca:ca:ee:51:57:c3:
         63:9b:ce:4e:8b:e0:c0:d6:7f:12:d3:97:ac:3d:fc:c3:d3:ca:
         68:a2:ed:c1:78:c6:2b:c1:7b:0f:56:82:b4:c9:d4:89:2b:b2:
         57:0a:80:4f:9f:92:98:7c:ef:b1:ad:08:93:47:23:52:04:1c:
         f9:74:9a:e5:70:5f:12:b9:84:95:b3:7a:be:b3:f4:61:af:8f:
         f3:05:6d:4a:57:9c:17:fc:03:98:2d:ed:e0:13:09:9a:08:d5:
         d5:49:3c:4c:df:b4:3b:a5:ea:4d:b8:a4:1a:6a:8e:f2:9c:79:
         fd:58:ec:64:9d:84:d7:6c:f5:0d:bd:08:8d:4d:a5:c6:25:00:
         3e:3c:dc:49:55:ff:d0:72:91:01:82:e2:62:c6:80:90:77:d1:
         f9:a3:1c:37:36:5e:d3:59:64:07:f9:3b:06:bd:c5:9b:de:1c:
         aa:04:80:87:80:66:67:89:bc:c6:a9:87:9c:58:8a:1b:5e:bc:
         3d:02:83:74:4c:dd:15:fd:42:8a:33:72:4d:09:d1:2b:f2:21:
         ff:77:9e:73:36:70:ee:f5:8a:35:14:d0:e7:75:52:74:29:2f:
         ef:8a:fa:e6:ef:ad:3c:40:19:4e:ba:5e:03:54:fd:f4:17:f7:
         b4:c0:85:78:20:66:22:ac:5b:9f:94:86:e3:5f:ac:d7:15:65:
         69:cc:4d:73:88:06:07:e8:68:82:c5:ef:60:b7:e9:be:f9:fc:
         3c:10:03:11:2e:a7:50:94:ec:ef:cb:aa:07:9b:44:54:4b:0f:
         ba:27:52:d5:0b:0d:b9:17:58:0a:7f:a1:0b:fc:c5:87:5c:32:
         30:ed:fb:0b:2e:05:4a:8d:63:60:38:3e:b8:e3:ab:ec:f7:be:
         e6:5e:c1:20:11:75:b8:cf
-----BEGIN CERTIFICATE-----
MIIHrDCCBZSgAwIBAgIQBbGX2FlfJIPKkgQimkx23TANBgkqhkiG9w0BAQsFADBp
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMT
OERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0
IDIwMjEgQ0ExMB4XDTIyMDEzMDAwMDAwMFoXDTI0MDEzMDIzNTk1OVowgbAxCzAJ
BgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMGQXJtb25rMTQw
MgYDVQQKEytJbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVzIENvcnBvcmF0
aW9uMREwDwYDVQQLEwhJQk0gQ0NTUzE0MDIGA1UEAxMrSW50ZXJuYXRpb25hbCBC
dXNpbmVzcyBNYWNoaW5lcyBDb3Jwb3JhdGlvbjCCAiIwDQYJKoZIhvcNAQEBBQAD
ggIPADCCAgoCggIBAKiKGffqynMfXW+iET5om15zauQ0XMh3zb2h2JWeAPf4uR3e
/G48N4NXzH9Nq0YJjkcm2ydjLDuad8OFzYSc19czVnFfABgSj6vtZZm42vgruOK1
gh6j/7D8uTYz6jjUgUWRo/WAc1jmOQ4U5kQE7zAEEvX9+FhK2JbrbFlvAIcxgOaf
WIkmxgfsGZSGxmJNtmmFP5/PImOCWXuITSvGIpA8cQNMdCTMMKhkUFiLxFm8sFLz
nimMKJLAfEF7bOswgOFWxLPkcVUFepgxFPC1y0IATSSP+pTgXWxGuCV+4U0up/qW
2zoTzscZOaLsV1xE/5U+qKpB1L+WKBoGKU2uLFsGddX3KFORvo9/0sDq6GQFJa8k
PvXqnE79mWUSoTsZgFFDLKjTHEZ2VQs9kh/RIk33gy3Ty7pBS/4P5l6ysIYLXYDB
VWtaE+NKJDAi1nDxXtV2ouW+eeDl/kXQIKrr0quxXUH+9mzbSSWHHcHQya8I1Jmy
HcNX1z20Lku35kJFSdNL/3oE6814VklI/A028eOPoN15STcnIIPTASNre230c2+r
I7DABbSJcqj7QxHv6l4uk8a9bNbxPpJPdovS7bqWp83ciV6pQgAGYibTVkVavxBz
iN7dvIu7T4VlLEW11+hdcvFAuFszOFpKN5MQkY3U32PuhngbBNvG5ph53Pn3AgMB
AAGjggIGMIICAjAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNV
HQ4EFgQUGe7em4sLLQP3BxbmM2ACBj1/asUwDgYDVR0PAQH/BAQDAgeAMBMGA1Ud
JQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwz
LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5
NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5j
b20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIx
Q0ExLmNybDA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRw
Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsG
AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0
dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVT
aWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAwGA1UdEwEB/wQCMAAwDQYJ
KoZIhvcNAQELBQADggIBAFgwho8giZNl5xFSsC2xpzmb7y/hYwDvA9eqlTwX/bLf
JVUIql2ou2G1ZBdlT5l/6ccm9AksJcWdQD0s4RE/tNZ/s0jD5jX6PQFz9O46bjNQ
sO5bLtQj9ldznonFBYisEGtY/0EVyEeq5UrP+DZrIEIkSwIgmVceZ56zZ7DdaLqn
jgJBBLchoPagHxgs+qQ2M/2XLHBeDMUpTyTQLIKQZvf57u0O+0RqCVsYEDb7YcrK
7lFXw2Obzk6L4MDWfxLTl6w9/MPTymii7cF4xivBew9WgrTJ1IkrslcKgE+fkph8
77GtCJNHI1IEHPl0muVwXxK5hJWzer6z9GGvj/MFbUpXnBf8A5gt7eATCZoI1dVJ
PEzftDul6k24pBpqjvKcef1Y7GSdhNds9Q29CI1NpcYlAD483ElV/9BykQGC4mLG
gJB30fmjHDc2XtNZZAf5Owa9xZveHKoEgIeAZmeJvMaph5xYihtevD0Cg3RM3RX9
Qoozck0J0SvyIf93nnM2cO71ijUU0Od1UnQpL++K+ubvrTxAGU66XgNU/fQX97TA
hXggZiKsW5+UhuNfrNcVZWnMTXOIBgfoaILF72C36b75/DwQAxEup1CU7O/Lqgeb
RFRLD7onUtULDbkXWAp/oQv8xYdcMjDt+wsuBUqNY2A4Prjjq+z3vuZewSARdbjP
-----END CERTIFICATE-----
In addition to an Issuer and a Signer, the certificate has the following characteristics:
  • A validity period between the Not Before date and the Not After date. The signature should be produced within this period. 
    • Not Before: Jan 30 00:00:00 2022 GMT
    • Not After : Jan 30 23:59:59 2024 GMT
  • A public key, which is described under Subject Public Key Info in the output above. Signature validation requires this public key, so it is also included as a separately downloadable file named baw-public-2022.key in the attached files .zip files.
You can validate that this public key is the public key referred to in the certificate by invoking the following command and comparing the modulus with the one in the output of the certificate:
$ openssl rsa -noout -text -inform PEM -in baw-public-2022.key -pubin
RSA Public-Key: (4096 bit)
Modulus:
    00:a8:8a:19:f7:ea:ca:73:1f:5d:6f:a2:11:3e:68:
    9b:5e:73:6a:e4:34:5c:c8:77:cd:bd:a1:d8:95:9e:
    00:f7:f8:b9:1d:de:fc:6e:3c:37:83:57:cc:7f:4d:
    ab:46:09:8e:47:26:db:27:63:2c:3b:9a:77:c3:85:
    cd:84:9c:d7:d7:33:56:71:5f:00:18:12:8f:ab:ed:
    65:99:b8:da:f8:2b:b8:e2:b5:82:1e:a3:ff:b0:fc:
    b9:36:33:ea:38:d4:81:45:91:a3:f5:80:73:58:e6:
    39:0e:14:e6:44:04:ef:30:04:12:f5:fd:f8:58:4a:
    d8:96:eb:6c:59:6f:00:87:31:80:e6:9f:58:89:26:
    c6:07:ec:19:94:86:c6:62:4d:b6:69:85:3f:9f:cf:
    22:63:82:59:7b:88:4d:2b:c6:22:90:3c:71:03:4c:
    74:24:cc:30:a8:64:50:58:8b:c4:59:bc:b0:52:f3:
    9e:29:8c:28:92:c0:7c:41:7b:6c:eb:30:80:e1:56:
    c4:b3:e4:71:55:05:7a:98:31:14:f0:b5:cb:42:00:
    4d:24:8f:fa:94:e0:5d:6c:46:b8:25:7e:e1:4d:2e:
    a7:fa:96:db:3a:13:ce:c7:19:39:a2:ec:57:5c:44:
    ff:95:3e:a8:aa:41:d4:bf:96:28:1a:06:29:4d:ae:
    2c:5b:06:75:d5:f7:28:53:91:be:8f:7f:d2:c0:ea:
    e8:64:05:25:af:24:3e:f5:ea:9c:4e:fd:99:65:12:
    a1:3b:19:80:51:43:2c:a8:d3:1c:46:76:55:0b:3d:
    92:1f:d1:22:4d:f7:83:2d:d3:cb:ba:41:4b:fe:0f:
    e6:5e:b2:b0:86:0b:5d:80:c1:55:6b:5a:13:e3:4a:
    24:30:22:d6:70:f1:5e:d5:76:a2:e5:be:79:e0:e5:
    fe:45:d0:20:aa:eb:d2:ab:b1:5d:41:fe:f6:6c:db:
    49:25:87:1d:c1:d0:c9:af:08:d4:99:b2:1d:c3:57:
    d7:3d:b4:2e:4b:b7:e6:42:45:49:d3:4b:ff:7a:04:
    eb:cd:78:56:49:48:fc:0d:36:f1:e3:8f:a0:dd:79:
    49:37:27:20:83:d3:01:23:6b:7b:6d:f4:73:6f:ab:
    23:b0:c0:05:b4:89:72:a8:fb:43:11:ef:ea:5e:2e:
    93:c6:bd:6c:d6:f1:3e:92:4f:76:8b:d2:ed:ba:96:
    a7:cd:dc:89:5e:a9:42:00:06:62:26:d3:56:45:5a:
    bf:10:73:88:de:dd:bc:8b:bb:4f:85:65:2c:45:b5:
    d7:e8:5d:72:f1:40:b8:5b:33:38:5a:4a:37:93:10:
    91:8d:d4:df:63:ee:86:78:1b:04:db:c6:e6:98:79:
    dc:f9:f7
Exponent: 65537 (0x10001)
If IBM suspected a compromise of the code signing key, the certificate would be revoked by informing the public certificate authority, which in turn publishes this revocation information using the Online Certificate Status Protocol (OCSP). You can invoke the OCSP check to see if the certificate was revoked: 
$ openssl ocsp -no_nonce -issuer intermediate-2022.pem -cert baw-cert-2022.pem -VAfile intermediate-2022.pem -text -url http://ocsp.digicert.com -respout ocsptest
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 915DEAC5D1E15E49646B8A94E04E470958C9BB89
          Issuer Key Hash: 6837E0EBB63BF85F1186FBFE617B088865F44E42
          Serial Number: 05B197D8595F2483CA9204229A4C76DD
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: 6837E0EBB63BF85F1186FBFE617B088865F44E42
    Produced At: Jun 22 13:30:27 2022 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 915DEAC5D1E15E49646B8A94E04E470958C9BB89
      Issuer Key Hash: 6837E0EBB63BF85F1186FBFE617B088865F44E42
      Serial Number: 05B197D8595F2483CA9204229A4C76DD
    Cert Status: good
    This Update: Jun 22 13:15:01 2022 GMT
    Next Update: Jun 29 12:30:01 2022 GMT

    Signature Algorithm: sha384WithRSAEncryption
         73:7d:1b:f2:3e:6f:b4:12:ff:78:4e:a8:b9:54:33:e3:83:15:
         26:cf:51:18:03:74:6c:42:97:b6:23:a6:44:a3:d9:03:89:fa:
         67:c3:c6:da:c4:c4:f2:ef:f4:e1:25:50:9e:ef:f2:d0:75:99:
         29:5c:06:2f:32:72:0a:1e:0e:76:47:73:6b:f0:26:aa:ef:2c:
         e5:a7:84:f2:34:02:bd:d7:84:aa:b1:82:0c:74:f9:d7:c2:9f:
         e2:37:b8:39:5f:40:6e:65:77:48:23:64:26:60:3f:20:f3:0d:
         d4:9b:e0:5e:8c:8b:d3:76:e3:e8:8f:27:db:38:4e:9f:65:cd:
         5c:f2:c1:75:c2:56:a6:72:6f:26:aa:e4:80:66:0e:a0:95:6e:
         6c:bb:55:31:94:4c:75:85:14:a8:f2:09:fb:fb:6d:59:c3:51:
         1a:96:8a:ed:4c:27:7b:05:a4:99:eb:5d:7d:39:b8:6b:fa:d0:
         04:0b:d6:f7:00:8b:6e:7b:0d:f7:77:af:91:e6:bd:0f:01:6d:
         4d:40:34:28:fd:d4:4f:43:71:68:15:de:bb:99:45:d4:22:15:
         76:c1:ad:07:a2:d8:2e:b4:fa:78:5f:28:ae:cb:25:ce:c3:79:
         fa:27:e5:ef:2f:23:ba:22:c9:8a:17:8d:30:47:eb:a8:ab:7c:
         59:87:ac:93:64:8d:b1:de:71:6f:9c:2a:c6:ea:f2:ce:4b:0f:
         79:ac:5b:a7:80:a4:6c:7c:6a:5f:47:44:94:77:3a:4c:42:0c:
         89:39:58:e3:a7:c9:e0:f3:7a:1c:77:fd:ba:35:fc:ea:73:28:
         ed:d8:e2:4a:04:cb:e9:41:b3:fc:71:f2:c5:76:41:cb:1b:ef:
         28:98:3e:37:1c:dd:61:b0:b5:a6:10:c0:14:11:51:38:9f:ea:
         52:1b:36:8c:f3:0e:d0:53:b9:32:7f:e2:6a:c0:72:6d:cc:26:
         77:da:9a:6d:0f:a5:36:b7:26:3c:b6:61:a0:a7:55:b2:cd:7c:
         6b:9d:fd:4a:f9:bc:44:9c:7e:3c:09:b8:79:48:c2:4d:a0:c3:
         77:73:c6:78:a7:b3:17:04:8a:49:5d:47:fe:3d:9f:4a:04:58:
         c4:4c:dc:8b:cd:bf:3c:b7:82:55:29:b1:bd:f5:b7:cb:17:c2:
         41:6a:5a:89:a9:8b:20:94:2b:70:9b:c4:a0:4a:b5:73:a0:a1:
         85:8b:04:ec:f8:40:96:39:2c:94:b7:20:19:ce:b4:25:22:c8:
         64:e3:33:ec:df:08:e8:09:05:b8:d6:fd:c3:ed:6a:bb:a9:4f:
         74:ab:65:31:94:b1:d4:fc:e9:54:c3:11:48:2d:d5:4f:86:80:
         f3:81:02:ea:dd:0e:33:cd
baw-cert-2022.pem: good
        This Update: Jun 22 13:15:01 2022 GMT
        Next Update: Jun 29 12:30:01 2022 GMT
Response verify OK
At the bottom of the output, the text "Response verify OK" should be displayed.
After completing the steps, you can be assured that baw-cert-2022.pem, baw-public-2022.key, and intermediate-2022.pem are all valid and can be used to verify that the code signatures were produced by IBM.
Step 3: Validate the signatures
Complete the following steps to validate the signatures:
  1. Calculate the SHA256 hash of a downloaded file.
  2. Decrypt the signature file using IBM's public key baw-public-2022.key. The decrypted plain text is the SHA256 hash of the same file, calculated by IBM.
  3. Compare the two hashes to ensure that no bits were changed.
These three steps are combined in a single command: openssl dgst -sha256 -verify baw-public-2022.key -signature <signature file> <file>. For example:
$  openssl dgst -sha256 -verify baw-public-2022.key -signature workflow.2201.delta.repository.zip.sig workflow.2201.delta.repository.zip
Verified OK
The expected response is "Verified OK". Note that depending on file sizes, this command may take a few seconds to complete.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"ARM Category":[{"code":"a8m50000000CccBAAS","label":"Install and Deployment Environments-\u003Einstall verification"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"20.0.0;21.0.1;21.0.2;21.0.3;22.0.1;22.0.2;23.0.1;23.0.2"}]

Document Information

Modified date:
15 December 2023

UID

ibm16234014

Page Feedback