Verifying Open Liberty release package signatures
You can use signature files and the corresponding public key to verify the authenticity and integrity of an Open Liberty release package. Signature files are produced for every package of an Open Liberty release.
Signature files are available for Open Liberty releases in version 18.104.22.168 and later. The Open Liberty project uses its private key to digitally sign each Open Liberty release. You can use the Open Liberty public key to check the signature, verify that the package was released by Open Liberty, and that it was not modified since its release.
You can verify a release package either locally, by using the
openssl command and a
*.sig file, or on Maven Central, by using the
Verifying Open Liberty release package signatures with OpenSSL
To verify an Open Liberty release package locally, you must first download an Open Liberty
.zip package, the corresponding
*.sig file, and the Open Liberty public key. You can then run the
openssl command to verify the package signature.
Go to the Download package section of the Open Liberty Get Started page and download an Open Liberty
.zippackage and its corresponding
Obtain the public key file by using the public key link on the Get Started page. Save the public key file from your browser as a
After you download the files, you can run the following openssl command from the command line to verify the package.
openssl dgst -sha256 -verify OpenLiberty_02-13-2023.pem -signature openliberty-kernel-22.214.171.124.zip.sig openliberty-kernel-126.96.36.199.zip
This example uses the
OpenLiberty_02-13-2023.pem public key file and
openliberty-kernel-188.8.131.52.zip.sig signature file to verify the
openliberty-184.108.40.206.zip release package.
Replace the signature file and package version values according to the package that you want to verify.
Verify Open Liberty package signatures on Maven Central
To verify Open Liberty packages on Maven Central, you must first download the public key to your local machine by using the gpg or gpg2 command. You must edit the trust level for the key owner. You can then use this key to remotely verify an Open Liberty .asc release file on Maven Central.
Run the following command to download the public key file. The key ID value for the public key is
gpg2 --keyserver hkp://keyserver.ubuntu.com --recv-keys 9E68CA00
gpg2 --edit-keycommand to set the trust for the key owner to 5.
The following examples show the
gpg2 --edit-keycommand and the console output that it generates.
[root]$ gpg2 --edit-key "International Business Machines Corporation [email protected]" gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub rsa4096/BD9FD5BE9E68CA00 created: 2023-02-10 expires: 2027-02-09 usage: SCE trust: unknown validity: unknown [ unknown] (1). International Business Machines Corporation [email protected]
When you run the
gpg2 --edit-keycommand, the console displays information about the key owner, followed by an internal command prompt. At this prompt, enter the
trustcommand, as shown in the following example.
gpg> trust pub rsa4096/BD9FD5BE9E68CA00 created: 2023-02-10 expires: 2027-02-09 usage: SCE trust: unknown validity: unknown [ unknown] (1). International Business Machines Corporation [email protected]
You are then prompted to select a level of trust. Enter
5and confirm your choice by entering
Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y
Verify the file by running the
gpg2 --verifycommand. The following example verifies the Open Liberty 220.127.116.11 release package.
gpg2 --verify openliberty-runtime-18.104.22.168.zip.asc
If the verification is successful, the command produces console output that is similar to the following example.
gpg: assuming signed data in 'openliberty-runtime-22.214.171.124.zip' gpg: Signature made Thu 02 Mar 2023 09:02:22 AM PST gpg: using RSA key E70E5D6C3F1E452CB0F67DF1BD9FD5BE9E68CA00 gpg: Good signature from "International Business Machines Corporation <[email protected]>" [ultimate]