Correct me if I am wrong, but my impression is that signing the package protects (among other things) against the scenario in which one of your associates, who let us assume is a bad guy, makes a zap-type modification to the package after you download it and before you install it, thereby compromising the integrity of your z/OS. Obviously, security for the download will not protect against that, but package signing will.
Charles On Tue, 16 May 2023 17:57:23 +0000, Kurt J. Quackenbush <ku...@us.ibm.com> wrote: >>> IBM packages for PTFs and HOLDDATA are currently not yet being signed, but >>> they will be later this year. Stay tuned. >>> >> At e.g. <https://public.dhe.ibm.com/eserver/zseries/holddata/month.txt>, I >> see: >> "Verified by DigiCert." Is that adequate? > >Securing the download may very well be adequate for many. Digitally signing >the actual files that are downloaded (the package) is an additional >protection. Signing a GIMZIP package, and then verifying the signature of >that package, increases confidence in the authenticity (who produced it?) and >the integrity (has it changed in transit?) of the package. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
