Skip to content

Latest commit

 

History

History
82 lines (56 loc) · 2.69 KB

verify-v2.md

File metadata and controls

82 lines (56 loc) · 2.69 KB
Raw

Table of Contents generated with DocToc

Download public keys

Retrieve the latest public keys (example with wget):

wget https://raw.githubusercontent.com/IBM/cloud-pak-cli/master/certificates/cloudctl.pem.cer
wget https://raw.githubusercontent.com/IBM/cloud-pak-cli/master/certificates/cloudctl.pem.chain
wget https://raw.githubusercontent.com/IBM/cloud-pak-cli/master/certificates/cloudctl.pem.pub.key

Check Certificate/Key Validity and Archives

Check Certificate/Key Validity

Verify that the certificate/key is owned by IBM:

Note: On windows, run below commands from Git Bash

openssl x509 -inform pem -in cloudctl.pem.cer -noout -text

Verify authenticity of certificate/key:

openssl ocsp -no_nonce -issuer cloudctl.pem.chain -cert cloudctl.pem.cer -VAfile cloudctl.pem.chain -text -url http://ocsp.digicert.com -respout ocsptest

Should see a message that contains:

Response verify OK

Optionally Compare the certificate and the public key

Check public key details

openssl rsa -noout -text -inform PEM -in cloudctl.pem.pub.key -pubin

Make a note of modulus and Exponent

Check certficate details

openssl x509 -inform pem -in cloudctl.pem.cer -noout -text

Check the Public-Key section in the output and compare with previous result.

Verify Archive

We will verify cloudctl-linux-amd64.tar.gz. Steps will be same for other archives.

Convert the signature from base64 to bytes

export ARCHIVE=cloudctl-linux-amd64.tar.gz
openssl enc -d -A -base64 -in "${ARCHIVE}.sig" -out "/tmp/${ARCHIVE}.decoded.sig"

Verify the signature bytes:

export ARCHIVE=cloudctl-linux-amd64.tar.gz
openssl dgst -verify cloudctl.pem.pub.key -keyform PEM -sha256 -signature "/tmp/${ARCHIVE}.decoded.sig" -binary "${ARCHIVE}"