Verify object signatures

You can use Digital Certificate Manager (DCM) to verify the authenticity of digital signatures on objects. When you verify the signature, you ensure that the data in the object has not been changed since the object owner signed the object.

Signature verification prerequisites

Before you can use DCM to verify signatures on objects, you must ensure that certain prerequisite conditions are met:
  • You must have created the *SIGNATUREVERIFICATION certificate store to manage your signature verification certificates.
    Note: You can perform signature verification while working within the *OBJECTSIGNING certificate store in cases where you are verifying signatures for objects that were signed on the same system. The steps that you perform to verify the signature in DCM are the same in either certificate store. However, the *SIGNATUREVERIFICATION certificate store must exist and must contain a copy of the certificate that signed the object even if you perform signature verification while working within the *OBJECTSIGNING certificate store.
  • The *SIGNATUREVERIFICATION certificate store must contain a copy of the certificate that signed the objects.
  • The *SIGNATUREVERIFICATION certificate store must contain a copy of the CA certificate that issued the certificate that signed the objects.

Use DCM to verify signatures on objects

To use DCM to verify object signatures, follow these steps:

  1. Start DCM.
  2. In the navigation frame, click Select a Certificate Store and select *SIGNATUREVERIFICATION as the certificate store to open.
    Note: If you have questions about how to complete a specific form while using DCM, select the question mark (?) at the top of the page to access the online help.
  3. Enter the password for the *SIGNATUREVERIFICATION certificate store and click Continue.
  4. After the navigation frame refreshes, select Manage Signable Objects to display a list of tasks.
  5. From the list of tasks, select Verify object signature to specify the location of the objects for which you want to verify signatures.
  6. In the field provided, enter the fully qualified path and file name of the object or directory of objects for which you want to verify signatures and click Continue. Or, enter a directory location and click Browse to view the contents of the directory to select objects for signature verification.
    Note: You can also use certain wildcard characters to describe the part of the directory that you want to verify. These wildcard characters are the asterisk (*), which specifies "any number of characters," and the question mark (?), which specifies "any single character." For example, to sign all the objects in a specific directory, you might enter /mydirectory/*; to sign all the programs in a specific library, you might enter /QSYS.LIB/QGPL.LIB/*.PGM. You can use these wildcard characters only in the last part of the path name; for example, /mydirectory*/filename results in an error message. If you want to use the Browse function to see a list of library or directory contents, you must enter the wildcard as part of the path name before clicking Browse.
  7. Select the processing options that you want to use for verifying the signature on the selected object or objects and click Continue.
    Note: If you choose to wait for job results, the results file displays directly in your browser. Results for the current job are appended to the end of the results file. Consequently, the file may contain results from any previous jobs, in addition to those of the current job. You can use the date field in the file to determine which lines in the file apply to the current job. The date field is in YYYYMMDD format. The first field in the file can be either the message ID (if an error occurred during processing the object) or the date field (indicating the date on which the job processed).
  8. Specify the fully qualified path and file name to use for storing job results for the signature verification operation and click Continue. Or, enter a directory location and click Browse to view the contents of the directory to select a file for storing the job results. A message displays to indicate that the job was submitted to verify object signatures. To view the job results, see job QOBJSGNBAT in the job log.

You can also, use DCM to view information about the certificate that signed an object. This allows you to determine whether the object is from a source that you trust before you work with the object.

Related concepts
Digital certificates for signing objects
Related tasks
Manage certificates for verifying object signatures