Verify digital signatures - JohnHau/mis GitHub Wiki
To verify that your IBM Passport Advantage software download is valid and has been signed by IBM, follow these steps.
Each package for Passport Advantage contains: RPM signature public key certificate intermediate certificate Using openssl with the signature file, public key and RPM, validate the digital signature: Example:
openssl dgst -sha256 -verify noicodesigners-public-key.pem -signature nasm-common-1.1.10-7.x86_64.rpm.sig nasm-common-1.1.10-7.x86_64.rpm
Output: Verified OK
Optional: Verify that the public key comes from the provided certificate. Extract the public key from the certificate:
openssl x509 -noout -pubkey -in noicodesigners-certificate.pem
-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr17olFvTAcZgOI2g+v+6 aEQyC+9SsNresmz5K1BSJYiiVfo/XLfAtywNk+nvxL88COxhBl49WVVW1qhuSiCd VXNEjt3J9jgieWaBvcYB0O1ko/hVETFpulyVkE24WH8kmBXFhUmu9S0CRB1dp5H1 0ozIlVwihn3PZQWAFYT4tjKh6Xffldttq41i7nRAyDnqI0HSjXExy6WhrFhBnZkO sy4CPuPPKYqYnZbpmMyUJLyW/+mnMH2SyqkFreI+YQHNHV8HXncIcg06zbkcJS25 u+b/qJJy/s00BXPOAWW3q7zbGXGJ+JxhZKnbHAlGYZHMtt+ZaQZ7nMVbL5jVI/Sm XwIDAQAB -----END PUBLIC KEY-----
Compare to the content of:
cat noicodesigners-public-key.pem
Optional: Validate the code signing certificate. Validate the certificate that was used to sign the software:
openssl x509 -inform pem -in noicodesigners-certificate.pem -noout -subject -issuer -startdate -enddate
Output: subject= /C=US/ST=New York/L=Armonk/O=International Business Machines Corporation/OU=IBM CCSS/CN=International Business Machines Corporation issuer= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA notBefore=Nov 2 00:00:00 2020 GMT notAfter=Nov 6 23:59:59 2022 GMT
Verify that the certificate has not been revoked: openssl ocsp -no_nonce -issuer noicodesigners-certificate-chain.pem -cert noicodesigners-certificate.pem -VAfile noicodesigners-certificate-chain.pem -text -url http://ocsp.digicert.com