IBM Support

Semeru Runtimes verification

General Page

How to verify the IBM Semeru Runtimes.

Verifying IBM Semeru Runtimes

Before you install an IBM Semeru Runtimes package, you can optionally verify that the package is valid and has been signed by IBM. Choose from these package types:

Windows Installer packages (.msi)

IBM Semeru Runtimes Windows Installer packages will be trusted by default on Microsoft platforms. To manually check the authenticity and integrity of an .msi package using File Explorer follow these steps:

  • Download the .msi file.
  • Use File Explorer to navigate to the folder that contains the file.
  • Right-click on the .msi file and select Properties from the context menu
  • Select the Digital Signatures tab in the Properties window.
  • The Signature list will have a signature signed by International Business Machines Corporation.
  • Double-click on the IBM signature to display further information.
  • The Digital Signature Information displays "This digital signature is OK."

Note: You may also use this technique to verify any executable (.exe) and dynamic link library (.dll) files installed by the .msi and also .exe and .dll files installed from an IBM Semeru Runtimes .zip archive.

macOS Installer packages (.pkg)

To manually check the authenticity and integrity of an .pkg package refer to the Apple® support article How to verify the authenticity of manually downloaded Apple software updates.

InstallAnywhere and Archive files (.bin, .tar.gz and .zip)

To check that a .tar.gz archive or InstallAnywhere installer .bin package has not been corrupted or altered you may verify its signature using a signature file. Signature files are available on the IBM Semeru Runtimes download page and have the same name as the package they verify followed by a .sig suffix.

To verify a package follow these steps:

  1. Download the package to a directory of your choice.
  2. Download the corresponding signature file, ending in .sig, to the same directory.
  3. Download the public key:
    ibm-semeru-public.pem.
  4. Run the following command to verify that the file is signed:
    
    openssl dgst -sha256 -verify ibm-semeru-public.pem -signature <package name .sig> <package name>
  5. For example:
    
    openssl dgst -sha256 -verify ibm-semeru-public.pem -signature ibm-semeru-open-jdk_x64_linux_11.0.13.0.tar.gz.sig ibm-semeru-open-jdk_x64_linux_11.0.13.0.tar.gz
  6. If the verification is successful then the command returns “Verified OK”, otherwise it returns "Verification Failure".

You may also use this technique to verify the executable and shared library files within packages. For example:

openssl dgst -sha256 -verify ibm-semeru-public.pem -signature ./lib/default/libj9vm29.so.sig ./lib/default/libj9vm29.so

Note: A .zip archive does not have a signature file. Use the method described for verifying Windows Installer packages to validate the executable (.exe) and dynamic link library (.dll) files contained within the .zip.

RPM Package Manager packages (.rpm)

To check that an .rpm package has not been corrupted or altered. Follow these steps:

  • Download the GPG-formatted public key:
    ibm-semeru-public-GPGkey.pgp.
  • Manually import the key into the RPM database:

    rpm --import ibm-semeru-public-GPGkey.pem
  • Verify the signature of the .rpm package. Use the command:
    rpm -K <package name>

    For example:

    rpm -K ibm-semeru-certified-11-jdk-11.0-13.0.x86_64.rpm

    The output should summarise that the signatures and digests are "OK":

    ibm-semeru-open-11-jdk-11.0-13.0.x86_64.rpm: digests signatures OK
  • You can see more detail by adding the verbose option:
    rpm -Kv ibm-semeru-certified-11-jdk-11.0-13.0.x86_64.rpm

    The output should show that all signatures and digests are "OK":

    ibm-semeru-open-11-jdk-11.0-13.0.x86_64.rpm:
        Header V3 RSA/SHA256 Signature, key ID 9bce9629: OK
        Header SHA256 digest: OK
        Header SHA1 digest: OK
        Payload SHA256 digest: OK
        V3 RSA/SHA256 Signature, key ID 9bce9629: OK
        MD5 digest: OK
    

Verifying the IBM Semeru Runtimes public key

You may also verify that the public key is present in the public certificate owned by IBM.

Follow these steps:

  1. Download the public key:
    ibm-semeru-public.pem.
  2. Download the public certificate:
    ibm-semeru-certificate.pem.
  3. Save the public key and public certificate to a directory of your choice.
  4. Change to the directory and run the following command to display the certificate details:
    
    openssl x509 -text -in ibm-semeru-certificate.pem -noout

    The output will show that the certificate is issued by Digicert to IBM:

    Certificate:
            ...
            Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Assured ID Code Signing CA
            ...
            Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM CCSS, CN = International Business Machines Corporation
            ...
    
    

    The output also shows the public key information:

    Certificate:
    ...
            Subject Public Key Info:
                ...
                    Modulus:
                        00:ab:38:0c:45:7c:d6:16:fa:22:61:fa:46:84:80:
                        67:71:a4:a8:c7:73:63:8a:fb:f3:24:be:94:3f:5e:
                        ...
                    Exponent: 65537 (0x10001)
    
  5. Run the following command to show the public key details:
    openssl rsa -noout -text -inform PEM -in ibm-semeru-public.pem; -pubin

    For example:

    
    Modulus:
        00:ab:38:0c:45:7c:d6:16:fa:22:61:fa:46:84:80:
        67:71:a4:a8:c7:73:63:8a:fb:f3:24:be:94:3f:5e:
    ...
    Exponent: 65537 (0x10001)
    
  6. Using the output from the two steps above, compare the Exponent and Modulus of the public key with the Exponent and Modulus of the Subject Public Key Info in the certificate. Note that the information in the public key matches the information within the certificate.

Verifying the IBM public certificate

You can check that the IBM public certificate is valid by using the Online Certificate Status Protocol (OCSP).

  1. Download the public certificate:
    ibm-semeru-certificate.pem.
  2. Download the intermediate certificate:
    ibm-semeru-chain0.pem.
  3. Save the public and intermediate certificate to a directory of your choice.
  4. Change to the directory and run the following command:

    openssl ocsp -no_nonce -issuer ibm-semeru-chain0.pem -cert ibm-semeru-certificate.pem -VAfile ibm-semeru-chain0.pem -text -url http://ocsp.digicert.com -respout ocsptest
    
  5. If the certificate is valid the command returns "Response verify OK", otherwise it return "Response Verify Failure".

[{"Type":"SW","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSA3RN","label":"IBM Semeru Runtimes"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
28 October 2021

UID

ibm16508503