With the release of Db2, IBM has finally started providing cryptographically signed installation image files. This is important because it provides a means to verify that the installation image has not been tampered with or corrupted during download. Unfortunately, IBM does not provide instructions to verify the image, but it’s quite simple.

When you visit FixCentral to download Db2 11.5.7 code for Linux or UNIX, you’ll now be presented with 3 files to download:

Db2 Software Download Integrity

These files are as follows:

  1. A file called publicKey.pem, which contains the public portion of the key that IBM used to sign the installation image.
  2. The installation image file (for example: v11.5.7_linuxx64_server_dec.tar.gz). This file is no different from what you’ve downloaded in earlier releases.
  3. A signature file (for example: v11.5.7_linuxx64_server_dec.tar.gz.sig), which contains the cryptographic signature for the installation image file.

Although the signature and public key files are not necessary to install Db2, they are required in order to verify the integrity of the installation image. While the signature file is unique to each individual installation image, the public key file is common for all installation images, regardless of platform.

Verification requires that you have the OpenSSL utility. This tool is commonly installed with most Linux distributions. If your company does not allow openssl to be installed on the Db2 server, the installation image can be verified on a different machine after downloading it from Fix Central.

To verify that the installation image, execute the following command:

$ openssl dgst -verify publicKey.pem -sha256 \
    -signature v11.5.7_linuxx64_server_dec.tar.gz.sig \
    -binary v11.5.7_linuxx64_server_dec.tar.gz
Verified OK

The command will run for a few seconds in order to calculate the SHA256 message digest for the installation image. If the signature matches, the openssl utility will display the Verified OK message shown above.

If the installation image does not match the signature, OpenSSL will indicate that there was a Verification Failure. If you receive a failure, you should re-download the files from IBM and perform the verification again. If you continue to receive a verification failure, you should contact IBM Support.

Share This