Verifying Open Liberty release package signatures

You can use signature files and the corresponding public key to verify the authenticity and integrity of an Open Liberty release package. Signature files are produced for every package of an Open Liberty release.

Signature files are available for Open Liberty releases in version 22.0.0.1 and later. The Open Liberty project uses its private key to digitally sign each Open Liberty release. You can use the Open Liberty public key to check the signature, verify that the package was released by Open Liberty, and that it was not modified since its release.

You can verify a release package either locally, by using the openssl command and a *.sig file, or on Maven Central, by using the gpg command.

Verifying Open Liberty release package signatures with OpenSSL

To verify an Open Liberty release package locally, you must first download an Open Liberty .zip package, the corresponding *.sig file, and the Open Liberty public key. You can then run the openssl command to verify the package signature.

  1. Go to the Download package section of the Open Liberty Get Started page and download an Open Liberty .zip package and its corresponding *.sig file.

  2. Obtain the public key file by using the public key link on the Get Started page. Save the public key file from your browser as a .pem file.

  3. After you download the files, you can run the following openssl command from the command line to verify the package.

openssl dgst -sha256 -verify OpenLiberty_02-13-2023.pem -signature openliberty-kernel-23.0.0.2.zip.sig openliberty-kernel-23.0.0.2.zip

This example uses the OpenLiberty_02-13-2023.pem public key file and openliberty-kernel-23.0.0.2.zip.sig signature file to verify the openliberty-23.0.0.2.zip release package. Replace the signature file and package version values according to the package that you want to verify.

Results

If the verification is successful, the command produces the following console output.

Verified OK

Verify Open Liberty package signatures on Maven Central

To verify Open Liberty packages on Maven Central, you must first download the public key to your local machine by using the gpg or gpg2 command. You must edit the trust level for the key owner. You can then use this key to remotely verify an Open Liberty .asc release file on Maven Central.

  1. Run the following command to download the public key file. The key ID value for the public key is 9E68CA00.

    gpg2 --keyserver hkp://keyserver.ubuntu.com --recv-keys 9E68CA00
  2. Use the gpg2 --edit-key command to set the trust for the key owner to 5.

    The following examples show the gpg2 --edit-key command and the console output that it generates.

    [root]$ gpg2 --edit-key "International Business Machines Corporation [email protected]"
    gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    
    pub rsa4096/BD9FD5BE9E68CA00
       created: 2023-02-10 expires: 2027-02-09 usage: SCE
       trust: unknown validity: unknown
    [ unknown] (1). International Business Machines Corporation [email protected]

    When you run the gpg2 --edit-key command, the console displays information about the key owner, followed by an internal command prompt. At this prompt, enter the trust command, as shown in the following example.

    gpg> trust
    pub rsa4096/BD9FD5BE9E68CA00
       created: 2023-02-10 expires: 2027-02-09 usage: SCE
       trust: unknown validity: unknown
    [ unknown] (1). International Business Machines Corporation [email protected]

    You are then prompted to select a level of trust. Enter 5 and confirm your choice by entering y.

    Please decide how far you trust this user to correctly verify other users' keys
    (by looking at passports, checking fingerprints from different sources, etc.)
    
    1 = I don't know or won't say
    2 = I do NOT trust
    3 = I trust marginally
    4 = I trust fully
    5 = I trust ultimately
    m = back to the main menu
    
    Your decision? 5
    Do you really want to set this key to ultimate trust? (y/N) y
  3. Verify the file by running the gpg2 --verify command. The following example verifies the Open Liberty 23.0.0.2 release package.

    gpg2 --verify openliberty-runtime-23.0.0.2.zip.asc

Results

If the verification is successful, the command produces console output that is similar to the following example.

gpg: assuming signed data in 'openliberty-runtime-23.0.0.2.zip'
gpg: Signature made Thu 02 Mar 2023 09:02:22 AM PST
gpg:                using RSA key E70E5D6C3F1E452CB0F67DF1BD9FD5BE9E68CA00
gpg: Good signature from "International Business Machines Corporation <[email protected]>" [ultimate]