Learn about which objects you can sign and about command (*CMD) object signature options.
You can digitally sign a variety of i5/OS™ object types, regardless of the method that you use to sign them. You can sign any object (*STMF) that you store in the system's integrated file system, except objects that are stored in a library. If the object has an attached Java™ program, the program will also be signed. You can sign only these objects in the QSYS.LIB file system: programs (*PGM), service programs (*SRVPGM), modules (*MODULE), SQL packages (*SQLPKG), *FILE (save file only), and commands (*CMD).
To sign an object, it must reside on the local system. For example, if you operate a Windows® 2000 server on an Integrated xSeries® Server for iSeries™, you have the QNTC file system available in the integrated file system. The directories in this file system are not considered local because they contain files that are owned by the Windows 2000 operating system. Also, you cannot sign empty objects or objects that are compiled for a release before V5R1.
When you sign *CMD objects, you can choose one of two types of digital signatures to apply to the *CMD object. You can elect either to sign the entire object, or to sign the core part of the object only. When you elect to sign the entire object, the signature is applied to all but a few nonessential bytes of the object. The entire object signature includes the items contained in the core object signature.
When you elect to sign only the core object, the essential bytes are protected by the signature while bytes that are subject to more frequent changes are not signed. Which bytes are unsigned varies based on the *CMD object, but can include bytes that determine the mode in which the object is valid or determine where the object is allowed to run, among others. Core signatures do not include parameter defaults on the *CMD objects, for example. This type of signature allows some changes to be made to the command without invalidating its signature. Examples of changes that will not invalidate these types of signatures include:
The following table describes exactly which bytes in a *CMD object are included as part of the core object signature.
| Part of object | Relationship to core object signature |
|---|---|
| Command defaults changed by CHGCMDDFT | Not part of the core object signature |
| Program to process command and library | Always included as part of the core object signature |
| REXX source file and library | Included if specified for the command at the time of signing, otherwise not part of the core object signature |
| REXX source member | Included if specified for the command at the time of signing, otherwise not part of the core object signature |
| REXX command environment and library | Included if specified for the command at the time of signing, otherwise not part of the core object signature |
| REXX exit program name, library, and exit code | Included if specified for the command at the time of signing, otherwise not part of the core object signature |
| Validity checking program and library | Included if specified for the command at the time of signing, otherwise not part of the core object signature |
| Mode in which valid | Not part of the core object signature |
| Where allowed to run | Not part of the core object signature |
| Allow limited users | Not part of the core object signature |
| Help bookshelf | Included if specified for the command at the time of signing, otherwise not part of the core object signature |
| Help panel group and library | Included if specified for the command at the time of signing, otherwise not part of the core object signature |
| Help identifier | Included if specified for the command at the time of signing, otherwise not part of the core object signature |
| Help search index and library | Included if specified for the command at the time of signing, otherwise not part of the core object signature |
| Current® library | Included if specified for the command at the time of signing, otherwise not part of the core object signature |
| Product library | Included if specified for the command at the time of signing, otherwise not part of the core object signature |
| Prompt override program and library | Included if specified for the command at the time of signing, otherwise not part of the core object signature |
| Text (description) | Not part of either a core object signature or an entire object signature because it is not stored in the object |
| Enable graphical user interface (GUI) | Not part of the core object signature |