Quick question ? When the documentation talks about package signature, is it in fact the GIMPAF2.XML file that is signed ? When i run GIMUNZIP i receive a message like:
SIGNATURE VALIDATION FOR FILE "/z/z04683/Hooli/GIMPAF2.XML" WAS SUC
BY A CERTIFICATE WITH SUBJECT NAME "CN=IBM Z Systems Software Produ
Signing, O=IBM Corporation, C=US", SERIAL NUMBER "15" AND SHA256 FI
"3cc6085e5834cddda61d23911cfcb7e1aadd1bfc7ff09d4a31af564f1dfe45e7".
"CN=STG Code Signing CA - G2, OU=IBM Code Signing, O=IBM Corporatio
Which tends to tell that it was GIMPAF2.XML which was validated as a signature package. Is that so ? Having the GIMPAF2.XML, the signature in this file and the public key of the certificate, how can i validate the signature (using openssl maybe ?)

Also when you read https://www.ibm.com/support/pages/apar/IO28360, it says  "

** IBM plans to sign product packages (CBPDO and ServerPac)
starting in
May 2023 and service packages in 3Q2023. **

Are the service packages (RSU,PTFs,HOLDDATA) already signed by IBM ?
Thank you 

------------------------------
philippe richard
------------------------------

Philippe, yes, it is the GIMPAF2.XML file in the GIMZIP package that is signed.  Yes, all IBM z/OS software service and product packages are signed.  It appears you may already have the proper setup, but in case others are interested you care read here about the required root certificate and security manager controls which enable SMP/E to verify package signatures.

https://www.ibm.com/docs/en/zos/3.1.0?topic=guide-preparing-verify-signatures-gimzip-packages

** IBM plans to sign product packages (CBPDO and ServerPac)starting inMay 2023 and service packages in 3Q2023. **