How To
Summary
For AIX and VIOS security bulletins that include interim fixes or new filesets as remediation, a tar file is provided that includes a text version of the bulletin, interim fixes or filesets, and signature files for each included file. For AIX and VIOS HIPER bulletins that include interim fixes, signature files are also provided for each fix. Here we lay out steps for verifying the integrity of AIX and VIOS security and HIPER fixes.
Steps
Obtaining the AIX and VIOS public key
Integrity of the AIX and VIOS security fixes and bulletins, and AIX and VIOS HIPER fixes, can be verified by using the signature files with the public key available for https download from:
Starting with AIX 7.2 TL5 SP3 and VIOS 3.1.3.10, the same public key is also installed locally as part of the bos.rte.security fileset:
/etc/security/certificates/AIX_PSIRT_pubkey.txt
For additional verification and ease of use, the contents of the public key, which can be copied into a new file and stored locally, are:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwUReXHZdyR6HuiWQbcG7
g9xtp9j8Q/uxhImosNanuqjwj8UinAKkkaArFzCb69WIjPYXmv+MOr0B6TnB5h0w
9kRauQLYV74iYxGG5Y2Yrl4HB0Un34YTgl+hrDWHPY3dI5cyzHLCvXMRTsPfnyUK
LsH9m5ZUtA6UBs9D48HS66YHVHwtcjb50xYsd2GwVip2HrskTTUXzB+I/BqYh0RA
brJiFG8h2XrAqlJZQU8JJLdH3i4i+HsScsfDgynZ3cEnJCxm1o5QmJyA4G1AOAuJ
+/JmMY0CbTz8sP7o4zykPo0AvakUx5N8yOC8oCMTifN5QH8Ff2hY6uMonoUekm8d
bwIDAQAB
-----END PUBLIC KEY-----
The checksum for the public key can be verified by running:
-> openssl dgst -sha256 [public key path]
The correct checksum value:
-> openssl dgst -sha256 /etc/security/certificates/AIX_PSIRT_pubkey.txt
SHA256(/etc/security/certificates/AIX_PSIRT_pubkey.txt)= 98d1efb466c6946618b5111117a68b0cfe39b27e8718672896754faa81288d76
Verifying files by using the public key
Once obtained, the public key can be used to verify AIX and VIOS security bulletins and security fixes, and AIX and VIOS HIPER fixes, by running:
-> openssl dgst -sha256 -verify [public key path] -signature [file.sig signature path] [file path]
Examples:
-> openssl dgst -sha256 -verify /etc/security/certificates/AIX_PSIRT_pubkey.txt -signature Advisory.asc.sig Advisory.asc
Verified OK
-> openssl dgst -sha256 -verify /etc/security/certificates/AIX_PSIRT_pubkey.txt -signature IJ41974s3a.221025.epkg.Z.sig IJ41974s3a.221025.epkg.Z
Verified OK
If anything other than 'Verified OK' is returned, contact IBM Support for assistance.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvzhAAA","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
24 March 2025
UID
ibm16985269