Verifying Open Liberty release package signatures
You can use signature files and the corresponding public key to verify the authenticity and integrity of an Open Liberty release package. Signature files are produced for every package of an Open Liberty release.
The Open Liberty project uses its private key to digitally sign each Open Liberty release. You can use the Open Liberty public key to check the signature, verify that the package was released by Open Liberty, and that it was not modified since its release.
You can verify a release package either locally, by using the openssl
command and a .sig
file, or on Maven Central, by using the gpg
command. When you verify the release locally, you can also verify the authenticity of the Open Liberty public key by using a certificate (.cer
) file.
Verifying Open Liberty release package signatures with OpenSSL
To verify an Open Liberty release package locally, you must first download an Open Liberty .zip
release package, the corresponding .sig
file, and a .cer
file, which includes the Open Liberty public key. After you extract the Open Liberty public key from the .cer
file, you can run the openssl
command to verify the package signature. Optionally, you can verify the authenticity of the Open Liberty public key before you extract it from the .cer
file.
In the following examples, replace the <OpenLiberty_certificate>
and <Open_Liberty_release_package>
variables with the public key (.cer
), signature (.sig
), and release package (.zip
) files that you are using to verify a release package.
Go to the Download package section of the Open Liberty Get Started page and download an Open Liberty
.zip
release package and the corresponding.sig
and.cer
files.Verify the authenticity of the Open Liberty public key.
The Open Liberty public key is embedded in the
.cer
file. Before you extract the Open Liberty public key, you can verify that it was produced by Open Liberty. Run the following openssl command from the directory that contains the.cer
file:openssl x509 -text -in <OpenLiberty_certificate>.pem.cer
If the verification is successful, the console displays output that is similar to the following example:
Certificate: Data: Version: 3 (0x2) Serial Number: 05:27:40:1b:0d:4a:60:3a:ac:61:e0:d7:20:0d:77:ed Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = "DigiCert, Inc.", CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 Validity Not Before: Jan 13 00:00:00 2023 GMT Not After : Jun 26 23:59:59 2024 GMT Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM CCSS, CN = International Business Machines Corporation Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: ... -----END CERTIFICATE-----
Extract the public key from the
.cer
file as a.pem
file.The Open Liberty public key is embedded in the
.cer
file. To extract the key to a separate.pem
file, run the following command from the directory that contains the.cer
file:openssl x509 -inform PEM -in <OpenLiberty_certificate>.pem.cer -pubkey -noout > <OpenLiberty_certificate>.pem
You can now use this
.pem
file to verify the release package.Verify the authenticity and integrity of the release package.
Navigate to the directory that contains the release archive
.zip
file, the corresponding.sig
file, and the.pem
file that you extracted in the previous step. Run the following command to verify the release package.openssl dgst -sha256 -verify <OpenLiberty_certificate>.pem -signature <Open_Liberty_release_package>.zip.sig <Open_Liberty_release_package>.zip
Verify Open Liberty package signatures on Maven Central
To verify Open Liberty packages on Maven Central, you must download openliberty-runtime-*.zip
and openliberty-runtime-*.zip.asc
files for your chosen release from Maven Central. You must also download the Open Liberty public key to your local machine and set trust level for the key owner by using the gpg or gpg2 command. You can then use this key to verify the Open Liberty release package signature.
Go to the openliberty-runtime repository on Maven Central and click the release version that you want to verify, for example,
24.0.0.1
.Download the
openliberty-runtime-*.zip
andopenliberty-runtime-*.zip.asc
files that correspond to the release you want to verify, for exampleopenliberty-runtime-24.0.0.1.zip
andopenliberty-runtime-24.0.0.1.zip.asc
. Make sure to save the.asc
file from your browser as an.asc
file.Run the following command to download the Open Liberty public key file. The key ID value for the Open Liberty public key is
9E68CA00
.gpg2 --keyserver hkp://keyserver.ubuntu.com --recv-keys 9E68CA00
Run the
gpg2 --edit-key
command to set the trust for the key owner to 5.The following examples show the
gpg2 --edit-key
command and the console output that it generates.gpg2 --edit-key "International Business Machines Corporation <[email protected]>" gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub rsa4096/BD9FD5BE9E68CA00 created: 2023-02-10 expires: 2027-02-09 usage: SCE trust: unknown validity: unknown [ unknown] (1). International Business Machines Corporation [email protected]
When you run the
gpg2 --edit-key
command, the console displays information about the key owner, followed by an internal command prompt. At this prompt, enter thetrust
command, as shown in the following example.gpg> trust pub rsa4096/BD9FD5BE9E68CA00 created: 2023-02-10 expires: 2027-02-09 usage: SCE trust: unknown validity: unknown [ unknown] (1). International Business Machines Corporation [email protected]
You are then prompted to select a level of trust. Enter
5
and confirm your choice by enteringy
.Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y
Verify the release package by running the
gpg2 --verify
command from the directory that contains the Open Liberty public key and the.zip
and.asc
release package files that you downloaded from Maven central.The following example uses the
openliberty-runtime-24.0.0.1.zip.asc
file to verify the 24.0.0.1 release package signature. Replace this value with the release package that you want to validate.gpg2 --verify openliberty-runtime-24.0.0.1.zip.asc
Results
If the verification succeeds, the command produces console output that is similar to the following example:
gpg: assuming signed data in 'openliberty-runtime-24.0.0.1.zip'
gpg: Signature made Thu Jan 25 08:18:11 2024 EST
gpg: using RSA key E70E5D6C3F1E452CB0F67DF1BD9FD5BE9E68CA00
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2027-02-09
gpg: Good signature from "International Business Machines Corporation <[email protected]>" [ultimate]