Verifying installation packages from IBM

If you have a 21CS or Teracloud OEM version of Streams from IBM (i.e., you received an installation package from IBM's Passport Advantage website), you can verify the integrity of the package using the included signature artifacts.

Use OpenSSL to verify that Streams with IBM installation package has been signed by IBM. Optionally, verify the certificate and public key.

Before you begin

  1. Ensure that OpenSSL is installed on your system by running the openssl command in your terminal.
    1. If not found, install the OpenSSL RPM by executing sudo dnf install openssl.
  2. Download and extract the product installation tar.gz file:
    1. Download the product tar.gz file from an official IBM channel, for example, Passport Advantage.
    2. Run the following command:
      tar -xvf Streams-product.tar.gz
      This command will extract the contents of the archive (the signature files and the installer tar.gz file) into the StreamsFiles/ directory.

Procedure

  1. Change your working directory to StreamsFiles/.
  2. Verify the digital signatures of the public key, signature file, and installer file.
    Run the command below, replacing X with the fix pack version and Y with the major RHEL version:
    openssl dgst -sha256 -verify OEMStreamskey.pem.pub.key -signature Streams-7.2.1.X-x86_64-elY-installer.tar.gz.cosign.sig Streams-7.2.1.X-x86_64-elY-installer.tar.gz

    For example, the following command can be used to verify the Streams 7.2.1.0 tar.gz for RHEL 9:

    openssl dgst -sha256 -verify OEMStreamskey.pem.pub.key -signature Streams-7.2.1.0-x86_64-el9-installer.tar.gz.cosign.sig Streams-7.2.1.0-x86_64-el9-installer.tar.gz

    Your output should look like this:

    Verified OK
  3. Optional: Verify that the public key comes from the provided certificate.
    1. Verify the certificate that was used to sign the package by running the following command:
      openssl x509 -noout -pubkey -in OEMStreamskey.pem.cer
    2. The output should be same as the contents of the OEMStreamskey.pem.pub.key file:
      cat OEMStreamskey.pem.pub.key
  4. Optional: Verify the signing certificate.
    1. Verify the certificate that was used to sign the software by running the following command:
      openssl x509 -inform pem -in OEMStreamskey.pem.cer -noout -subject -issuer -startdate -enddate

      Your output should look like this:

      subject=C=US, ST=New York, L=Armonk, O=International Business Machines Corporation, CN=International Business Machines Corporation
issuer=C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
notBefore=May 31 00:00:00 2024 GMT
notAfter=Jun  2 23:59:59 2026 GMT
    2. Verify that the certificate has not been revoked by running the following command:
      openssl ocsp -no_nonce -issuer OEMStreamskey.pem.chain -cert OEMStreamskey.pem.cer -VAfile OEMStreamskey.pem.chain -text -url http://ocsp.digicert.com
      Your output should look similar to this:
      OCSP Request Data:
    ...
OCSP Response Data:
    ...
Response verify OK
OEMStreamskey.pem.cer: good
        This Update: Mar 24 22:33:00 2026 GMT
        Next Update: Mar 31 21:33:00 2026 GMT