Verifying Open Liberty release package signatures

You can use signature files and the corresponding public key to verify the authenticity and integrity of an Open Liberty release package. Signature files are produced for every package of an Open Liberty release.

Signature files are available for Open Liberty releases in version 22.0.0.1 and later. The Open Liberty project uses its private key to digitally sign each Open Liberty release. You can use the Open Liberty public key to check the signature, verify that the package was released by Open Liberty, and that it was not modified since its release.

You can verify a release package either locally, by using the openssl command and a *.sig file, or on Maven Central, by using the gpg command.

Verifying Open Liberty release package signatures with OpenSSL

To verify an Open Liberty release package locally, you must first download an Open Liberty .zip package, the corresponding .sig file, and the Open Liberty public key. You can then run the openssl command to verify the package signature.

  1. Go to the Download package section of the Open Liberty Get Started page and download an Open Liberty .zip package and its corresponding .sig file.

  2. Obtain the public key file by using the public key link on the Get Started page. Save the public key file from your browser as a .pem file.

  3. After you download the files, you can run the following OpenSSL command from the command line to verify the package.

openssl dgst -sha256 -verify WebSphereLiberty_06-02-2021.pem -signature openliberty-javaee8-22.0.0.1.zip.sig openliberty-javaee8-22.0.0.1.zip

This example uses the WebSphereLiberty_06-02-2021.pem public key file and openliberty-javaee8-22.0.0.1.zip.sig signature file to verify the openliberty-javaee8-22.0.0.1.zip release package. Replace the signature file and package version values according to the package that you want to verify.

Results

If the verification is successful, the command produces the following console output.

Verified OK

Verify Open Liberty package signatures on Maven Central

To verify Open Liberty packages on Maven Central, you must first download the public key to your local machine by using the gpg or gpg2 command. You must edit the trust level for the key owner. You can then use this key to remotely verify an Open Liberty .asc release file on Maven Central.

  1. Run the following command to download the public key file. The key ID value for the public key is 46102B8E.

    gpg2 --keyserver hkp://keyserver.ubuntu.com --recv-keys 46102B8E
  2. Use the gpg2 --edit-key command to set the trust for the key owner to 5.

    The following examples show the gpg2 --edit-key command and the console output that it generates.

    $ gpg2 --edit-key "WebSphere Liberty"
    gpg (GnuPG/MacGPG2) 2.2.32; Copyright (C) 2021 Free Software Foundation, Inc.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    
    pub rsa4096/4D210F6946102B8E
       created: 2021-06-02 expires: never    usage: SCEA
       trust: ultimate   validity: ultimate
    [ultimate] (1). WebSphere Liberty (Works for IBM) <[email protected]>
    [ultimate] (2) WebSphereLiberty

    When you run the gpg2 --edit-key command, the console displays information about the key owner, followed by an internal command prompt. At this prompt, enter the trust command, as shown in the following example.

    gpg> trust
    pub rsa4096/4D210F6946102B8E
       created: 2021-06-02 expires: never    usage: SCEA
       trust: ultimate   validity: ultimate
    [ultimate] (1). WebSphere Liberty (Works for IBM) <[email protected]>
    [ultimate] (2) WebSphereLiberty

    You are then prompted to select a level of trust. Enter 5 and confirm your choice by entering y.

    Please decide how far you trust this user to correctly verify other users keys
    (by looking at passports, checking fingerprints from different sources, etc.)
     1 = I don't know or won't say
     2 = I do NOT trust
     3 = I trust marginally
     4 = I trust fully
     5 = I trust ultimately
     m = back to the main menu
    
    Your decision? 5
    Do you really want to set this key to ultimate trust? (y/N) y
    
    pub rsa4096/4D210F6946102B8E
       created: 2021-06-02 expires: never    usage: SCEA
       trust: ultimate   validity: ultimate
    [ultimate] (1). WebSphere Liberty (Works for IBM) <[email protected]>
    [ultimate] (2) WebSphereLiberty
  3. Verify the file by running the gpg2 --verify command. The following example verifies the Open Liberty 22.0.0.1 release package.

    gpg2 --verify openliberty-runtime-22.0.0.1.zip.asc

Results

If the verification is successful, the command produces console output that is similar to the following example.

gpg: assuming signed data in 'openliberty-runtime-22.0.0.1.zip'
gpg: Signature made Wed Nov 24 09:02:44 2021 EST
gpg:        using RSA key 91FFD9A642D060B66B802B9D4D210F6946102B8E
gpg: Good signature from "WebSphere Liberty (Works for IBM) <[email protected]>" [ultimate]
gpg:        aka "WebSphereLiberty" [ultimate]