Signature verification processing

Learn how the process of verifying an object signature works and what parameters you can set for the process.

You can specify the following options for signature verification processing.

Error processing

You can specify what type of error processing the application is to use when verifying signatures on more than one object. You can specify that the application either stop verifying signatures when an error occurs or continue verifying signatures on any other objects in the process.

Objects in subdirectories

You can specify how the application is to handle verifying signatures on objects in subdirectories. You can specify that the application individually verify signatures on objects in any subdirectories or that the application only verify signatures for those objects within the main directory while ignoring all subdirectories.

Core versus entire signature verification

There are system rules that determine how the system is to handle core and entire signatures on objects during the verification process. These rules are as follows:

If there are no signatures on the object, the verify process reports the object is not signed and continues verifying any other objects in the process.
If the object was signed by a system trusted source (IBM^®), the signature must match or the verification process fails. If the signature matches, the verification process continues. The signature is an encrypted mathematical summary of the data in the object; therefore, the signature is considered to match if the data in the object during verification matches the data in the object when it was signed.
If the object has any entire object signatures that are trusted (based on certificates contained in the *SIGNATUREVERIFICATION certificate store), at least one of these signatures must match or the verification process fails. If at least one entire object signature matches, the verification process continues.
If the object has any core object signatures that are trusted, at least one of these must match a certificate in the *SIGNATUREVERIFICATION certificate store or the verify process fails. If at least one core object signature matches the verification process continues.