Verifying Open Liberty release package signatures

You can use signature files and the corresponding public key to verify the authenticity and integrity of an Open Liberty release package. Signature files are produced for every package of an Open Liberty release.

The Open Liberty project uses its private key to digitally sign each Open Liberty release. You can use the Open Liberty public key to check the signature, verify that the package was released by Open Liberty, and that it was not modified since its release.

You can verify a release package either locally, by using the openssl command and a .sig file, or on Maven Central, by using the gpg command. When you verify the release locally, you can also verify the authenticity of the Open Liberty public key by using a certificate (.cer) file.

Verifying Open Liberty release package signatures with OpenSSL

To verify an Open Liberty release package locally, you must first download an Open Liberty .zip release package, the corresponding .sig file, and a .cer file, which includes the Open Liberty public key. After you extract the Open Liberty public key from the .cer file, you can run the openssl command to verify the package signature. Optionally, you can verify the authenticity of the Open Liberty public key before you extract it from the .cer file.

In the following examples, replace the <OpenLiberty_certificate> and <Open_Liberty_release_package> variables with the public key (.cer), signature (.sig), and release package (.zip) files that you are using to verify a release package.

  1. Go to the Download package section of the Open Liberty Get Started page and download an Open Liberty .zip release package and the corresponding .sig and .cer files.

  2. Verify the authenticity of the Open Liberty public key.

    The Open Liberty public key is embedded in the .cer file. Before you extract the Open Liberty public key, you can verify that it was produced by Open Liberty. Run the following openssl command from the directory that contains the .cer file:

    openssl x509 -text -in <OpenLiberty_certificate>.pem.cer

    If the verification is successful, the console displays output that is similar to the following example:

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                06:4b:92:a7:85:44:17:52:dd:6c:29:d0:40:cc:a3:0b
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: C = US, O = "DigiCert, Inc.", CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
            Validity
                Not Before: May  8 00:00:00 2024 GMT
                Not After : May  8 23:59:59 2026 GMT
            Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, CN = International Business Machines Corporation
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    RSA Public-Key: (4096 bit)
                    Modulus:
    ...
    
    -----END CERTIFICATE-----
  3. Extract the public key from the .cer file as a .pem file.

    The Open Liberty public key is embedded in the .cer file. To extract the key to a separate .pem file, run the following command from the directory that contains the .cer file:

    openssl x509 -inform PEM -in <OpenLiberty_certificate>.pem.cer -pubkey -noout > <OpenLiberty_certificate>.pem

    You can now use this .pem file to verify the release package.

  4. Verify the authenticity and integrity of the release package.

    Navigate to the directory that contains the release archive .zip file, the corresponding .sig file, and the .pem file that you extracted in the previous step. Run the following command to verify the release package.

    openssl dgst -sha256 -verify <OpenLiberty_certificate>.pem -signature <Open_Liberty_release_package>.zip.sig <Open_Liberty_release_package>.zip

Results

If the verification succeeds, the command produces the following console output.

Verified OK

Verify Open Liberty package signatures on Maven Central

To verify Open Liberty packages on Maven Central, you must download openliberty-runtime-*.zip and openliberty-runtime-*.zip.asc files for your chosen release from Maven Central. You must also download the Open Liberty public key to your local machine and set trust level for the key owner by using the gpg or gpg2 command. You can then use this key to verify the Open Liberty release package signature.

  1. Go to the openliberty-runtime repository on Maven Central and click the release version that you want to verify, for example, 24.0.0.1.

  2. Download the openliberty-runtime-*.zip and openliberty-runtime-*.zip.asc files that correspond to the release you want to verify, for example openliberty-runtime-24.0.0.1.zip and openliberty-runtime-24.0.0.1.zip.asc. Make sure to save the .asc file from your browser as an .asc file.

  3. Run the following command to download the Open Liberty public key file. The key ID value for the Open Liberty public key is 9E68CA00.

    gpg2 --keyserver hkp://keyserver.ubuntu.com --recv-keys 9E68CA00
  4. Run the gpg2 --edit-key command to set the trust for the key owner to 5.

    The following examples show the gpg2 --edit-key command and the console output that it generates.

    gpg2 --edit-key "International Business Machines Corporation <[email protected]>"
    
    gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    
    pub rsa4096/BD9FD5BE9E68CA00
       created: 2023-02-10 expires: 2027-02-09 usage: SCE
       trust: unknown validity: unknown
    [ unknown] (1). International Business Machines Corporation [email protected]

    When you run the gpg2 --edit-key command, the console displays information about the key owner, followed by an internal command prompt. At this prompt, enter the trust command, as shown in the following example.

    gpg> trust
    pub rsa4096/BD9FD5BE9E68CA00
       created: 2023-02-10 expires: 2027-02-09 usage: SCE
       trust: unknown validity: unknown
    [ unknown] (1). International Business Machines Corporation [email protected]

    You are then prompted to select a level of trust. Enter 5 and confirm your choice by entering y.

    Please decide how far you trust this user to correctly verify other users' keys
    (by looking at passports, checking fingerprints from different sources, etc.)
    
    1 = I don't know or won't say
    2 = I do NOT trust
    3 = I trust marginally
    4 = I trust fully
    5 = I trust ultimately
    m = back to the main menu
    
    Your decision? 5
    Do you really want to set this key to ultimate trust? (y/N) y
  5. Verify the release package by running the gpg2 --verify command from the directory that contains the Open Liberty public key and the .zip and .asc release package files that you downloaded from Maven central.

    The following example uses the openliberty-runtime-24.0.0.1.zip.asc file to verify the 24.0.0.1 release package signature. Replace this value with the release package that you want to validate.

    gpg2 --verify openliberty-runtime-24.0.0.1.zip.asc

Results

If the verification succeeds, the command produces console output that is similar to the following example:

gpg: assuming signed data in 'openliberty-runtime-24.0.0.1.zip'
gpg: Signature made Thu Jan 25 08:18:11 2024 EST
gpg:                using RSA key E70E5D6C3F1E452CB0F67DF1BD9FD5BE9E68CA00
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2027-02-09
gpg: Good signature from "International Business Machines Corporation <[email protected]>" [ultimate]