Verifying Open Liberty release package signatures
You can use signature files and the corresponding public key to verify the authenticity and integrity of an Open Liberty release package. Signature files are produced for every package of an Open Liberty release.
Signature files are available for Open Liberty releases in version 22.214.171.124 and later. The Open Liberty project uses its private key to digitally sign each Open Liberty release. You can use the Open Liberty public key to check the signature, verify that the package was released by Open Liberty, and that it was not modified since its release.
You can verify a release package either locally, by using the
openssl command and a
*.sig file, or on Maven Central, by using the
Verifying Open Liberty release package signatures with OpenSSL
To verify an Open Liberty release package locally, you must first download an Open Liberty
.zip package, the corresponding
.sig file, and the Open Liberty public key. You can then run the
openssl command to verify the package signature.
Go to the Download package section of the Open Liberty Get Started page and download an Open Liberty
.zippackage and its corresponding
Obtain the public key file by using the public key link on the Get Started page. Save the public key file from your browser as a
After you download the files, you can run the following OpenSSL command from the command line to verify the package.
openssl dgst -sha256 -verify WebSphereLiberty_06-02-2021.pem -signature openliberty-javaee8-126.96.36.199.zip.sig openliberty-javaee8-188.8.131.52.zip
This example uses the
WebSphereLiberty_06-02-2021.pem public key file and
openliberty-javaee8-184.108.40.206.zip.sig signature file to verify the
openliberty-javaee8-220.127.116.11.zip release package.
Replace the signature file and package version values according to the package that you want to verify.
Verify Open Liberty package signatures on Maven Central
To verify Open Liberty packages on Maven Central, you must first download the public key to your local machine by using the gpg or gpg2 command. You must edit the trust level for the key owner. You can then use this key to remotely verify an Open Liberty .asc release file on Maven Central.
Run the following command to download the public key file. The key ID value for the public key is
gpg2 --keyserver hkp://keyserver.ubuntu.com --recv-keys 46102B8E
gpg2 --edit-keycommand to set the trust for the key owner to 5.
The following examples show the
gpg2 --edit-keycommand and the console output that it generates.
$ gpg2 --edit-key "WebSphere Liberty" gpg (GnuPG/MacGPG2) 2.2.32; Copyright (C) 2021 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub rsa4096/4D210F6946102B8E created: 2021-06-02 expires: never usage: SCEA trust: ultimate validity: ultimate [ultimate] (1). WebSphere Liberty (Works for IBM) <[email protected]> [ultimate] (2) WebSphereLiberty
When you run the
gpg2 --edit-keycommand, the console displays information about the key owner, followed by an internal command prompt. At this prompt, enter the
trustcommand, as shown in the following example.
gpg> trust pub rsa4096/4D210F6946102B8E created: 2021-06-02 expires: never usage: SCEA trust: ultimate validity: ultimate [ultimate] (1). WebSphere Liberty (Works for IBM) <[email protected]> [ultimate] (2) WebSphereLiberty
You are then prompted to select a level of trust. Enter
5and confirm your choice by entering
Please decide how far you trust this user to correctly verify other users keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y pub rsa4096/4D210F6946102B8E created: 2021-06-02 expires: never usage: SCEA trust: ultimate validity: ultimate [ultimate] (1). WebSphere Liberty (Works for IBM) <[email protected]> [ultimate] (2) WebSphereLiberty
Verify the file by running the
gpg2 --verifycommand. The following example verifies the Open Liberty 18.104.22.168 release package.
gpg2 --verify openliberty-runtime-22.214.171.124.zip.asc
If the verification is successful, the command produces console output that is similar to the following example.
gpg: assuming signed data in 'openliberty-runtime-126.96.36.199.zip' gpg: Signature made Wed Nov 24 09:02:44 2021 EST gpg: using RSA key 91FFD9A642D060B66B802B9D4D210F6946102B8E gpg: Good signature from "WebSphere Liberty (Works for IBM) <[email protected]>" [ultimate] gpg: aka "WebSphereLiberty" [ultimate]