verify-v2.md

Table of Contents generated with DocToc

• Download public keys
• Check Certificate/Key Validity and Archives
  • Check Certificate/Key Validity
    • Verify that the certificate/key is owned by IBM:
    • Verify authenticity of certificate/key:
  • Optionally Compare the certificate and the public key
    • Check public key details
    • Check certficate details
  • Verify Archive

Download public keys

Please follow instructions provided here

Check Certificate/Key Validity and Archives

• Check Certificate/Key Validity
• Optionally Validate Each Certificate Individually
• Verify Archive

Check Certificate/Key Validity

Verify that the certificate/key is owned by IBM:

Note: On windows, run below commands from Git Bash

openssl x509 -inform pem -in ibm-pak-plugin.pem.cer -noout -text

Verify authenticity of certificate/key:

openssl ocsp -no_nonce -issuer ibm-pak-plugin.pem.chain -cert ibm-pak-plugin.pem.cer -VAfile ibm-pak-plugin.pem.chain -text -url http://ocsp.digicert.com -respout ocsptest

Should see a message that contains:

Response verify OK

Optionally Compare the certificate and the public key

Check public key details

openssl rsa -noout -text -inform PEM -in ibm-pak-plugin.pem.pub.key -pubin

Make a note of modulus and Exponent

Check certficate details

openssl x509 -inform pem -in ibm-pak-plugin.pem.cer -noout -text

Check the Public-Key section in the output and compare with previous result.

Verify Archive

We will verify oc-ibm_pak-linux-amd64.tar.gz. Steps will be same for other archives.

Convert the signature from base64 to bytes

export ARCHIVE=oc-ibm_pak-linux-amd64.tar.gz
openssl enc -d -A -base64 -in "${ARCHIVE}.sig" -out "/tmp/${ARCHIVE}.decoded.sig"

Verify the signature bytes:

export ARCHIVE=oc-ibm_pak-linux-amd64.tar.gz
openssl dgst -verify ibm-pak-plugin.pem.pub.key -keyform PEM -sha256 -signature "/tmp/${ARCHIVE}.decoded.sig" -binary "${ARCHIVE}"