How To
Summary
How to Verify Downloaded HMC Drivers are Trusted and Code Signed for V11 and higher
Objective
The following procedure documents an optional process administrators can follow to verify that downloaded drivers are authentic, trusted, and have not been tampered with. HMC drivers are digitally signed to ensure their integrity and origin. Verification ensures that the artifacts originate from the official and trusted source and not from an unauthorized third party.
Every driver package includes the following components:
- A digitally signed artifact (e.g., .tar.gz, .tgz)
- A respective signature file of every driver file that confirms the authenticity of the artifact
- A public key file used to verify the driver
Administrators can use tools such as Cosign or OpenSSL to verify the signature and validate the integrity of the driver files.
Environment
Prerequisites:
Before performing the verification, ensure you have the following files available:
|
File Name |
Description |
|
PRD0002222key.pem.pub.key.gz |
This gzip archive contains the public key necessary to verify the digital signatures of all driver binaries |
|
Artifact.cosign.sig (HMC_Recovery_V11R1M1110_ppc.iso.cosign.sig) |
Signature file generated at the time of code signing. Each driver file has its own corresponding signature file |
|
ArtifactFileName |
The driver file you intend to verify |
Steps
Extract the Public Key
Use the following command to extract the public key from the gzip file:
$ gzip -d -c PRD0002222key.pem.pub.key.gz > PRD0002222key.pem.pub.key
Verifying Using Cosign Tool
Step 1: Check if Cosign is Installed
$ cosign version
If the version is not v1.8.0, proceed with the steps below to uninstall it.
Step 2: Uninstalling Existing Cosign Version (If cosign version is not v.1.8.0)
For Linux:
If Cosign was installed by copying it to /usr/local/bin/, remove it using:
$ sudo rm /usr/local/bin/cosign
You can verify it's removed by checking:
$ which cosign
It should return no output if successfully removed.
For macOS:
If you installed Cosign using Homebrew, uninstall it with:
$ brew uninstall cosign
Step 3: Install Cosign to v1.8.0
For Linux:
$ wget https://github.com/sigstore/cosign/releases/download/v1.8.0/cosign-linux-pivkey-pkcs11key-amd64
$ chmod +x cosign-linux-pivkey-pkcs11key-amd64
$sudo cp cosign-linux-pivkey-pkcs11key-amd64 /usr/local/bin/cosign
For macOS:
$ wget https://github.com/sigstore/cosign/releases/download/v1.8.0/cosign-darwin-arm64
$ chmod +x cosign-darwin-arm64
$ sudo mv cosign-darwin-arm64 /usr/local/bin/cosign
Step 4: Verify the Artifact
Using the Public Key:
$ cosign verify-blob --key PRD0002222key.pem.pub.key --signature HMC_Recovery_V11R1M1110_ppc.iso.cosign.sig HMC_Recovery_V11R1M1110_ppc.iso
Verifying Using OpenSSL
Install OpenSSL if not already available on your system:
Step 1: Check if OpenSSL is Installed
Run the following command to verify if OpenSSL is installed:
$ openssl version
If OpenSSL is not already installed on your system, follow the steps below based on your operating system:
Step 2: Install OpenSSL
On Ubuntu/Debian:
$ sudo apt update
$ sudo apt install openssl
On RHEL/CentOS/Fedora:
$ sudo dnf install openssl
On macOS:
$ brew install openssl
On Windows OS:
Install Win64 OpenSSL & open “Win64 OpenSSL” cmd prompt
Step 3: Step-by-Step Verification with OpenSSL
Decode the Cosign Signature
$ openssl enc -d -A -base64-in HMC_Recovery_V11R1M1110_ppc.iso.cosign.sig -out HMC_Recovery_V11R1M1110_ppc.iso_decoded.sig
Verify the Decoded Signature
$ openssl dgst -verify PRD0002222key.pem.pub.key -keyform PEM-sha256 -signature HMC_Recovery_V11R1M1110_ppc.iso_decoded.sig -binary HMC_Recovery_V11R1M1110_ppc.iso
Expected Output:
- On success: Verified OK
- On failure: Verification Failure
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"7063CR2","label":"Hardware Management Console (7063-CR2)"},"ARM Category":[{"code":"a8m3p000000F97JAAS","label":"HMC-\u003EUpdate \/ Upgrade"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}]},{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSJKZ48","label":"Hardware Management Console V11"},"ARM Category":[{"code":"a8m0z000000cw1DAAQ","label":"Hardware Management Console-\u003EHMC Upgrade\/Update"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":""}]
Was this topic helpful?
Document Information
Modified date:
25 July 2025
UID
ibm17240659