Original Message:
Sent: Fri May 05, 2023 10:49 AM
From: Gary Andrus
Subject: Verify Signature on IDS 14.10 download
I was working with a client today and after downloading CSDK FC10 (and FC9 later) for AIX, was able to verify the files via tar -tvf, but when trying to extract via tar -xvf they received an end of file error on the CSDK tar file. The obvious question was ASCII vs. binary copy, but the download from the new resources site, https://www.ibm.com/resources/mrs/assets?source=ifxids&lang=en_US, was using the HTML download and the copy from laptop to AIX was via Filezilla in binary mode. This is an AIX 7.1 host (yes, it just went out of support and they are upgrading to 7.2).
Has anyone see the end of file error on the CSDK tar file(s) from the resources site?
Thanks,
Gary
------------------------------
Gary Andrus
Original Message:
Sent: Thu May 04, 2023 11:01 PM
From: Scot Jenkins
Subject: Verify Signature on IDS 14.10 download
CSDK works the same way. You get a download tarball: ibm.csdk.4.50.FC10.LNX.tar
and in it the CSDK install tarball, .sig and .pem files:
$ tar -tvf ibm.csdk.4.50.FC10.LNX.tar
-rw-r--r-- root/root 208322560 2023-03-08 09:02 ibm.csdk.4.50.FC10.LNX.tar
-rw-r--r-- root/root 512 2023-03-08 12:51 ibm.csdk.4.50.FC10.LNX.tar.sig
-rw-r--r-- root/root 800 2023-03-08 12:51 informix.pem
-rw-rw-rw- buildadm/RAND13 1014 2023-03-08 12:51 README.codesign
Signature verification works the same way, hence why I created a script.
scot
Original Message:
Sent: Wed May 03, 2023 12:41 PM
From: Jacob Salomon
Subject: Verify Signature on IDS 14.10 download
WOW Scot! That's all there was to it!
The example in the README gave a different suffix in the example, .rpm rather than .tar. Hence, in my literal-minded mode, channeling my inner Amelia Bedelia, I failed to realize that .rpm was merely an alternate suffix for a download. (BTW, if you don't recognize the Amelia Bedelia reference, you have been cheated out of a childhood delight.) In any case I did append the .tar file name to the command and it Verified OK
. So this is solved. I wonder what I will face when it comes to the CSDK but I'll jump off that bridge when I come to it.
But Scott, judging by the length of your answer, you seem to be channeling your inner Jacob Salomon! <Grin>
Kidding aside (well, kidding is never to far to the side with me): Thanks for the correct answer, Scott.
------------------------------
Jacob Salomon
---
Nobody goes there anymore, it's too crowded. --Attr: Yogi Berra
Original Message:
Sent: Tue May 02, 2023 12:19 AM
From: Scot Jenkins
Subject: Verify Signature on IDS 14.10 download
Hi Jacob,
> If I run the above openssl command without the rpm parameter it just sits
> there util I kill it.
That's because it is waiting for input. You need to provide the actual file
name of the tarball you want to check the signature of (your last argument
is missing--see below).
source: https://www.ibm.com/docs/en/informix-servers/14.10?topic=overview-verify-digital-signatures
Informix 14.10.xC9 and above now include digital signatures, so the
tar/zip file you download contains:
* Original *.zip or *.tar media file
* Signature file, has same name as the media file with .sig extension
* Informix public key file: informix.pem
To verify signature:
a) extract original tar or zip file that you downloaded
b) Use openssl to verify signatures:
For example:
$ openssl dgst -sha256 -verify informix.pem \
-signature ibm.ids.14.10.FC10.LNX.tar.sig \
ibm.ids.14.10.FC10.LNX.tar
Verified OK
The actual Informix installer is in the tarball within the tarball you
downloaded. There is no RPM file for the Informix installer. You have
to extract the file ibm.ids.14.10.FC10.LNX.tar and then run ./ids_install.
You are not required to verify the signature but it is best practice to do
so to ensure your download is authentic.
> I have created public & private keys for user informix (ssh-addkey)
> but it seems somehow irrelevant.)
This is unnecessary for the signature verification and the Informix install.
Here's a script you can use to verify the signature.
Save it as /home/informix/bin/checksig and make it executable.
$ chmod 0755 /home/informix/bin/checksig
Add /home/informix/bin to the informix users' PATH.
Download the Informix tarball.
Make a directory and cd into it.
Extract the downloaded Informix tarball.
While still in that directory run checksig and give it the name of the
.sig file alone, or you can give both the .sig and the tarball name,
either works. This works the way "gpg --verify" works where you can just
give it foo.sig file and it assumes the file you want to check is named "foo".
Be sure you run this in the directory where you extracted the Informix
download tarball as the script assumes informix.pem is in the current
directory.
$ checksig ibm.ids.14.10.FC10.LNX.tar.sig
Verified OK
....................cut here....................
#!/bin/sh
# /home/informix/bin/checksig 0555 informix informix
#ident "@(#)checksig 1.1 23/02/08 23:01:05 thinkunix.net"
# verify digital signature of Informix 14.10.xC9 and above downloads
# source: https://www.ibm.com/docs/en/informix-servers/14.10?topic=overview-ver
ify-digital-signatures
#
# Informix archive (tar or zip file) from IBM contains:
# a) original informix tar or zip file
# b) .sig file
# c) informix.pem file used to verify signature
case "$#" in
1)
SIG="$1"
ARCHIVE=`basename $SIG .sig`
;;
2)
SIG="$1"
ARCHIVE="$2"
;;
*)
echo "$0 verifies a digital signature of an Informix download."
echo "Download Informix from IBM and extract tar or zip file."
echo "Next run this script supplying the name of the .sig file,"
echo "and optionally the name of the tar or zip file (matches"
echo "the name of the .sig file without the '.sig' extension)."
echo
echo "Usage: $0 FILE.sig [FILE.tar|FILE.zip]"
exit 1
;;
esac
/usr/bin/openssl dgst -sha256 -verify ./informix.pem \
-signature $SIG $ARCHIVE
....................cut here....................
IBM should probably update their documentation (e.g. README.codesign)
to give an example for the actual Informix product, not refer to some other
unrelated product.
scot
Original Message:
Sent: Thu April 27, 2023 12:12 PM
From: Jacob Salomon
Subject: Verify Signature on IDS 14.10 download
Hi Family.
I have not posted for a long time because I no longer had my own Informix environment. (That PC had died.) Now I'm trying to get started creating a new one. Starting up posting again, in my usual concise (ahem) manner:
I've downloaded:
- ibm.ids.14.10.FC10.LNX.tar
- ibm.csdk.4.50.FC10.LNX.tar
(Will downloading Aubit soon as well. Thanks, Art.)
(Side note: The bullet setting does not seem to work in this posting page.)
In the first untar of the ids TAR file, I find instructions in README.codesign to verify signatures, as per
https://www.ibm.com/docs/en/nasm/1.1.10?topic=verify-digital-signatures.
The first instruction on that page is to verify the file with a command line like this example:
openssl dgst -sha256 -verify noicodesigners-public-key.pem -signature nasm-common-1.1.10-7.x86_64.rpm.sig nasm-common-1.1.10-7.x86_64.rpm
OK, not the same exact file names for me. I can satisfy some options in my version:
openssl dgst -sha256 -verify informix.pem -signature ibm.ids.14.10.FC10.LNX.tar.sig
Alas, the sample mentions a file with suffix "rpm": nasm-common-1.1.10-7.x86_64.rpm
No .rpm file has shown up after that first tar -xvf command. And there is no rpm string in the extracted tar file either:
$ tar tvf ibm.ids.14.10.FC10.LNX.tar | grep rpm
(I have created public & private keys for user informix (ssh-addkey) but it seems somehow irrelevant.)
If I run the above openssl command without the rpm parameter it just sits there util I kill it. (I'm running it as user informix)
I also wonder if I can proceed without verifying the "signature" or would I just be asking for trouble down the road if I skip that?
Thanks much for helpful advice.
------------------------------
Jacob Salomon
---
Nobody goes there anymore, it's too crowded. --Attr: Yogi Berra
------------------------------