Informix

 View Only
  • 1.  Verify Signature on IDS 14.10 download

    Posted Thu April 27, 2023 12:13 PM

    Hi Family.
    I have not posted for a long time because I no longer had my own Informix environment.  (That PC had died.)  Now I'm trying to get started creating a new one. Starting up posting again, in my usual concise (ahem) manner:

     I've downloaded:
    - ibm.ids.14.10.FC10.LNX.tar
    - ibm.csdk.4.50.FC10.LNX.tar
    (Will downloading Aubit soon as well.  Thanks, Art.)
    (Side note: The bullet setting does not seem to work in this posting page.)

    In the first untar of the ids TAR file, I find instructions in README.codesign to verify signatures, as per
    https://www.ibm.com/docs/en/nasm/1.1.10?topic=verify-digital-signatures.
    The first instruction on that page is to verify the file with a command line like this example:

    openssl dgst -sha256 -verify noicodesigners-public-key.pem -signature nasm-common-1.1.10-7.x86_64.rpm.sig nasm-common-1.1.10-7.x86_64.rpm

    OK, not the same exact file names for me. I can satisfy some options in my version:
    openssl dgst -sha256 -verify informix.pem -signature ibm.ids.14.10.FC10.LNX.tar.sig
    Alas, the sample mentions a file with suffix "rpm": nasm-common-1.1.10-7.x86_64.rpm

    No .rpm file has shown up after that first tar -xvf command. And there is no rpm string in the extracted tar file either:
    $ tar tvf ibm.ids.14.10.FC10.LNX.tar | grep rpm

    (I have created public & private keys for user informix (ssh-addkey) but it seems somehow irrelevant.)

    If I run the above openssl command without the rpm parameter it just sits there util I kill it.  (I'm running it as user informix)

    I also wonder if I can proceed without verifying the "signature" or would I just be asking for trouble down the road if I skip that?

    Thanks much for helpful advice.




    ------------------------------
    Jacob Salomon
    ---
    Nobody goes there anymore, it's too crowded.  --Attr: Yogi Berra
    ------------------------------


  • 2.  RE: Verify Signature on IDS 14.10 download

    Posted Tue May 02, 2023 12:19 AM

    Hi Jacob,

    > If I run the above openssl command without the rpm parameter it just sits
    > there util I kill it.

    That's because it is waiting for input.  You need to provide the actual file
    name of the tarball you want to check the signature of (your last argument
    is missing--see below).

    source:  https://www.ibm.com/docs/en/informix-servers/14.10?topic=overview-verify-digital-signatures

    Informix 14.10.xC9 and above now include digital signatures, so the
    tar/zip file you download contains:
    * Original *.zip or *.tar media file
    * Signature file, has same name as the media file with .sig extension
    * Informix public key file: informix.pem

    To verify signature:
    a) extract original tar or zip file that you downloaded
    b) Use openssl to verify signatures:

    For example:
    $ openssl dgst -sha256 -verify informix.pem \
            -signature ibm.ids.14.10.FC10.LNX.tar.sig \
            ibm.ids.14.10.FC10.LNX.tar
    Verified OK

    The actual Informix installer is in the tarball within the tarball you
    downloaded.  There is no RPM file for the Informix installer.  You have
    to extract the file ibm.ids.14.10.FC10.LNX.tar and then run ./ids_install.

    You are not required to verify the signature but it is best practice to do
    so to ensure your download is authentic.


    > I have created public & private keys for user informix (ssh-addkey)
    > but it seems somehow irrelevant.)

    This is unnecessary for the signature verification and the Informix install.


    Here's a script you can use to verify the signature.
    Save it as /home/informix/bin/checksig and make it executable.
    $ chmod 0755 /home/informix/bin/checksig
    Add /home/informix/bin to the informix users' PATH.

    Download the Informix tarball.
    Make a directory and cd into it.
    Extract the downloaded Informix tarball.
    While still in that directory run checksig and give it the name of the
    .sig file alone, or you can give both the .sig and the tarball name,
    either works.  This works the way "gpg --verify" works where you can just
    give it foo.sig file and it assumes the file you want to check is named "foo".

    Be sure you run this in the directory where you extracted the Informix
    download tarball as the script assumes informix.pem is in the current
    directory.


    $ checksig ibm.ids.14.10.FC10.LNX.tar.sig
    Verified OK

    ....................cut here....................
    #!/bin/sh
    # /home/informix/bin/checksig 0555 informix informix
    #ident  "@(#)checksig   1.1     23/02/08 23:01:05 thinkunix.net"
    # verify digital signature of Informix 14.10.xC9 and above downloads
    # source:  https://www.ibm.com/docs/en/informix-servers/14.10?topic=overview-ver
    ify-digital-signatures
    #
    # Informix archive (tar or zip file) from IBM contains:
    #       a) original informix tar or zip file
    #       b) .sig file
    #       c) informix.pem file used to verify signature

    case "$#" in
    1)
            SIG="$1"
            ARCHIVE=`basename $SIG .sig`
            ;;
    2)
            SIG="$1"
            ARCHIVE="$2"
            ;;
    *)
            echo "$0 verifies a digital signature of an Informix download."
            echo "Download Informix from IBM and extract tar or zip file."
            echo "Next run this script supplying the name of the .sig file,"
            echo "and optionally the name of the tar or zip file (matches"
            echo "the name of the .sig file without the '.sig' extension)."
            echo
            echo "Usage:  $0 FILE.sig [FILE.tar|FILE.zip]"
            exit 1
            ;;
    esac

    /usr/bin/openssl dgst -sha256 -verify ./informix.pem \
            -signature $SIG $ARCHIVE
    ....................cut here....................


    IBM should probably update their documentation (e.g. README.codesign)
    to give an example for the actual Informix product, not refer to some other
    unrelated product.

    scot




  • 3.  RE: Verify Signature on IDS 14.10 download

    Posted Wed May 03, 2023 12:41 PM

    WOW Scot!  That's all there was to it!

    The example in the README gave a different suffix in the example, .rpm rather than .tar. Hence, in my literal-minded mode, channeling my inner Amelia Bedelia, I failed to realize that .rpm was merely an alternate suffix for a download.  (BTW, if you don't recognize the Amelia Bedelia reference, you have been cheated out of a childhood delight.)  In any case I did append the .tar file name to the command and it Verified OK.  So this is solved.  I wonder what I will face when it comes to the CSDK but I'll jump off that bridge when I come to it.

    But Scott, judging by the length of your answer, you seem to be channeling your inner Jacob Salomon! <Grin>

    Kidding aside (well, kidding is never to far to the side with me): Thanks for the correct answer, Scott.



    ------------------------------
    Jacob Salomon
    ---
    Nobody goes there anymore, it's too crowded.  --Attr: Yogi Berra
    ------------------------------



  • 4.  RE: Verify Signature on IDS 14.10 download

    Posted Thu May 04, 2023 11:01 PM

    CSDK works the same way.  You get a download tarball:  ibm.csdk.4.50.FC10.LNX.tar
    and in it the CSDK install tarball, .sig and .pem files:

    $ tar -tvf ibm.csdk.4.50.FC10.LNX.tar
    -rw-r--r-- root/root 208322560 2023-03-08 09:02 ibm.csdk.4.50.FC10.LNX.tar
    -rw-r--r-- root/root       512 2023-03-08 12:51 ibm.csdk.4.50.FC10.LNX.tar.sig
    -rw-r--r-- root/root       800 2023-03-08 12:51 informix.pem
    -rw-rw-rw- buildadm/RAND13 1014 2023-03-08 12:51 README.codesign

    Signature verification works the same way, hence why I created a script.

    scot




  • 5.  RE: Verify Signature on IDS 14.10 download

    IBM Champion
    Posted Fri May 05, 2023 01:13 AM


    Hi All,

    https://twitter.com/smooth1x1/status/1622007426781257728 to verify

    The Editiion Installer contains the same filename as the base product!

    https://twitter.com/smooth1x1/status/1622007547254243330

    Validating the Edition Installer

    https://twitter.com/smooth1x1/status/1622030823300931585

    Regards,

    David.



    ------------------------------
    David Williams
    ------------------------------



  • 6.  RE: Verify Signature on IDS 14.10 download

    Posted Fri May 05, 2023 10:49 AM

    I was working with a client today and after downloading CSDK FC10 (and FC9 later) for AIX, was able to verify the files via tar -tvf, but when trying to extract via tar -xvf they received an end of file error on the CSDK tar file.  The obvious question was ASCII vs. binary copy, but the download from the new resources site, https://www.ibm.com/resources/mrs/assets?source=ifxids&lang=en_US, was using the HTML download and the copy from laptop to AIX was via Filezilla in binary mode.  This is an AIX 7.1 host (yes, it just went out of support and they are upgrading to 7.2).

    Has anyone see the end of file error on the CSDK tar file(s) from the resources site?

    Thanks,
    Gary



    ------------------------------
    Gary Andrus
    ------------------------------



  • 7.  RE: Verify Signature on IDS 14.10 download

    Posted Fri May 05, 2023 10:57 AM

    Just after I posted the my message, I got an update from the client resource:

    OK, found the problem with the SDK file.  The name of the tar file is the same name of a tar file contained within the tar file.  By renaming the base tar file and THEN doing the tar xvf it worked fine.



    ------------------------------
    Gary Andrus
    ------------------------------