This is great! Thanks!
I don't know anything about GIMZIP, but suspect it does its own thing.
(And not clear from Marna's blog that it uses standards.) That's fine.
Y'all should *also* sign bundled (in one file) packages with PGP and
PKI, as those are recognized standards which most customers have already
in-hand.
Increasing numbers of software vendors are signing their downloadable
wares with PGP. Others are using PKI. Two different trust models;
neither is perfect. (So nothing wrong with also doing GIMZIP signing.)
-- Rick; <><
On 5/16/23 11:38, Kurt J. Quackenbush wrote:
As of today, all IBM product orders initiated from Shopz will be digitally
signed using SMP/E's GIMZIP package signing capability. This includes both
Portable Software Instance (ServerPac) and CBPDO orders. The signed packages
are completely compatible with exiting acquisition and download processes, so
no changes are required on the consumer's end, but if you want to exploit the
new capability and verify the digital signatures check out the information here:
https://www.ibm.com/docs/en/zos/2.5.0?topic=guide-preparing-verify-signatures-gimzip-packages
You can also read Marna's latest blog on this topic here:
https://www.marnasmusings.com/2023/05/sign-of-times.html
IBM packages for PTFs and HOLDDATA are currently not yet being signed, but they
will be later this year. Stay tuned.
Kurt Quackenbush
IBM | z/OS SMP/E and z/OSMF Software Management |
ku...@us.ibm.com<mailto:ku...@us.ibm.com>
Chuck Norris never uses CHECK when he applies PTFs.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN