Re: Digitally signed product software packages from IBM

2023-05-25 Thread Mark Jacobs
Take a look at validated boot/IPL for z/OS on a z16. PTFs are just starting to come out. Mark Jacobs Sent from ProtonMail, Swiss-based encrypted email. GPG Public Key - https://api.protonmail.ch/pks/lookup?op=get=markjac...@protonmail.com --- Original Message --- On Thursday, May

Re: Digitally signed product software packages from IBM

2023-05-25 Thread Andrew Rowley
On 26/05/2023 4:28 am, Kurt J. Quackenbush wrote: Glad to hear it works great and "management will love it." If you find value in this capability I encourage you to reach out to your other software providers and request they also start signing their packages. I know one in particular is

Re: Digitally signed product software packages from IBM

2023-05-25 Thread Mark Jacobs
I like the SAF checks for audit reasons as well as enforcement of corporate policies. If someone needs to receive something unsigned they can get temporary access to do so without needing to edit anything in their receive job. Mark Jacobs Sent from ProtonMail, Swiss-based encrypted email.

Re: Digitally signed product software packages from IBM

2023-05-25 Thread Kurt J. Quackenbush
> We just got it configured and tested with my standard throwaway ShopZ order, > Device Support Facilities. It works great, I'm sure management will love it. Glad to hear it works great and "management will love it." If you find value in this capability I encourage you to reach out to your

Re: Digitally signed product software packages from IBM

2023-05-25 Thread Mark Jacobs
We just got it configured and tested with my standard throwaway ShopZ order, Device Support Facilities. It works great, I'm sure management will love it. Questions: 1) Is there anything on the radar to have SMP/e enforce package signature validation if the package is signed? 2) Ditto to have

Re: Digitally signed product software packages from IBM

2023-05-17 Thread Marna WALLE
Only fyi: I mentioned my prior blog post, the signing mechanism and the technology used, with some helpful RACF commands to set up for verification: https://www.marnasmusings.com/2023/04/can-i-have-your-autograph-please.html -Marna WALLE z/OS System Install and Upgrade IBM Poughkeepsie

Re: Digitally signed product software packages from IBM

2023-05-16 Thread Charles Mills
>If the signature is stored alongside the GIMZIP they could simply alter both. Yep, they could, but they would have about a one in a zillion chance of doing so successfully. You would need the private key of the signer to get it right. The digital signature is a hash of the software, encrypted

Re: Digitally signed product software packages from IBM

2023-05-16 Thread Paul Gilmartin
On Tue, 16 May 2023 13:04:44 -0500, Charles Mills wrote: >Correct me if I am wrong, but my impression is that signing the package >protects (among other things) against the scenario in which one of your >associates, who let us assume is a bad guy, makes a zap-type modification to >the package

Re: Digitally signed product software packages from IBM

2023-05-16 Thread Charles Mills
Correct me if I am wrong, but my impression is that signing the package protects (among other things) against the scenario in which one of your associates, who let us assume is a bad guy, makes a zap-type modification to the package after you download it and before you install it, thereby

Re: Digitally signed product software packages from IBM

2023-05-16 Thread Kurt J. Quackenbush
>> IBM packages for PTFs and HOLDDATA are currently not yet being signed, but >> they will be later this year. Stay tuned. >> > At e.g. , I > see: > "Verified by DigiCert." Is that adequate? Securing the download may very well be

Re: Digitally signed product software packages from IBM

2023-05-16 Thread Kurt J. Quackenbush
> Y'all should *also* sign bundled (in one file) packages with PGP and PKI, as > those are recognized standards which most customers have already in-hand. GIMZIP package signing is implemented using public/private key technology (aka, PKI); a private key is used to generate a digital signature

Re: Digitally signed product software packages from IBM

2023-05-16 Thread Paul Gilmartin
On Tue, 16 May 2023 15:38:36 +, Kurt J. Quackenbush wrote: >... if you want to exploit the new capability and verify the digital > signatures check out the information here: >https://www.ibm.com/docs/en/zos/2.5.0?topic=guide-preparing-verify-signatures-gimzip-packages > >You can also

Re: Digitally signed product software packages from IBM

2023-05-16 Thread Rick Troth
This is great! Thanks! I don't know anything about GIMZIP, but suspect it does its own thing. (And not clear from Marna's blog that it uses standards.) That's fine. Y'all should *also* sign bundled (in one file) packages with PGP and PKI, as those are recognized standards which most

Digitally signed product software packages from IBM

2023-05-16 Thread Kurt J. Quackenbush
As of today, all IBM product orders initiated from Shopz will be digitally signed using SMP/E's GIMZIP package signing capability. This includes both Portable Software Instance (ServerPac) and CBPDO orders. The signed packages are completely compatible with exiting acquisition and download