Verifying Digital Signature and Integrity of Installation Archive Files

Starting with Oracle AI Database 26ai, Oracle digitally signs the installation archive files with Oracle certificates to ensure the integrity of the packages before you deploy them in your environments.

Use the Java utility jarsigner to verify the integrity of your Oracle AI Database, Oracle Database Client, Oracle Grid Infrastructure, Oracle Examples, Oracle Gateways, or Oracle GSM installation archive files. You can verify the integrity of the installation archive files before you extract the installation files.

Quick Verification

To quickly verify the installation archive files, use the jarsigner command with the -verify option:

  1. Go to the directory where you have downloaded the installation archive files.

  2. Run this command to check your installation archive file:

    jarsigner -verify installation_archive_file

    For example, to check the Oracle AI Database gold image:

    jarsigner -verify db_home.zip
    jar verified.

Detailed Certificate Information

If you want detailed certificate information, then use the -verbose:summary and -certs along with the -verify option.

  1. Go to the directory where you have downloaded the installation archive files.

  2. Run this command to check your installation archive file:

    jarsigner -verify -verbose:summary -certs installation_archive_file

    For example, to check the Oracle AI Database gold image:

    jarsigner -verify -verbose:summary -certs db_home.zip

    The output is similar to the following:

    2237119 Fri Feb 17 07:02:30 UTC 2023 META-INF/MANIFEST.MF

      >>> Signer
      X.509, CN="Oracle America, Inc.", O="Oracle America, Inc.", L=Redwood City, ST=California, C=US
      [
      Signature algorithm: SHA256withRSA, 3072-bit key
      [certificate is valid from 8/19/21 12:00 AM to 8/19/23 11:59 PM]
      X.509, CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
      [
      Signature algorithm: SHA384withRSA, 4096-bit key
      [certificate is valid from 4/29/21 12:00 AM to 4/28/36 11:59 PM]
      X.509, CN=DigiCert Trusted Root G4, O=DigiCert Inc, C=US
      [
      Signature algorithm: SHA384withRSA, 4096-bit key
      [trusted certificate]
      >>> TSA
      X.509, CN=DigiCert Timestamp 2022 - 2, O=DigiCert, C=US
      [
      Signature algorithm: SHA256withRSA, 4096-bit key
      [certificate is valid from 9/21/22 12:00 AM to 11/21/33 11:59 PM]
      X.509, CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA, O="DigiCert, Inc.", C=US
      [
      Signature algorithm: SHA256withRSA, 4096-bit key
      [certificate is valid from 3/23/22 12:00 AM to 3/22/37 11:59 PM]
      X.509, CN=DigiCert Trusted Root G4, O=DigiCert Inc, C=US
      [
      Signature algorithm: SHA384withRSA, 4096-bit key
      [certificate is valid from 8/1/22 12:00 AM to 11/9/31 11:59 PM]

       2237281 Fri Feb 17 07:02:32 UTC 2023 META-INF/ORACLE_C.SF (and 1 more)

      (Signature related entries)

            0 Fri Feb 17 05:41:24 UTC 2023 OPatch/ (and 1897 more)

      (Directory entries)

       2977 Tue Dec 20 08:02:16 UTC 2022 OPatch/README.txt (and 20199 more)

      [entry was signed on 2/17/23 7:02 AM]
      >>> Signer
      X.509, CN="Oracle America, Inc.", O="Oracle America, Inc.", L=Redwood City, ST=California, C=US
      [
      Signature algorithm: SHA256withRSA, 3072-bit key
      [certificate is valid from 8/19/21 12:00 AM to 8/19/23 11:59 PM]
      X.509, CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
      [
      Signature algorithm: SHA384withRSA, 4096-bit key
      [certificate is valid from 4/29/21 12:00 AM to 4/28/36 11:59 PM]
      X.509, CN=DigiCert Trusted Root G4, O=DigiCert Inc, C=US
      [
      Signature algorithm: SHA384withRSA, 4096-bit key
      [trusted certificate]
      >>> TSA
      X.509, CN=DigiCert Timestamp 2022 - 2, O=DigiCert, C=US
      [
      Signature algorithm: SHA256withRSA, 4096-bit key
      [certificate is valid from 9/21/22 12:00 AM to 11/21/33 11:59 PM]
      X.509, CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA, O="DigiCert, Inc.", C=US
      [
      Signature algorithm: SHA256withRSA, 4096-bit key
      [certificate is valid from 3/23/22 12:00 AM to 3/22/37 11:59 PM]
      X.509, CN=DigiCert Trusted Root G4, O=DigiCert Inc, C=US
      [
      Signature algorithm: SHA384withRSA, 4096-bit key
      [certificate is valid from 8/1/22 12:00 AM to 11/9/31 11:59 PM]


  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

- Signed by "CN="Oracle America, Inc.", O="Oracle America, Inc.", L=Redwood City, ST=California, C=US"
    Digest algorithm: SHA-256
    Signature algorithm: SHA256withRSA, 3072-bit key
  Timestamped by "CN=DigiCert Timestamp 2022 - 2, O=DigiCert, C=US" on Fri Feb 17 07:02:33 UTC 2023
    Timestamp digest algorithm: SHA-256
    Timestamp signature algorithm: SHA256withRSA, 4096-bit key

jar verified.

The signer certificate will expire on 2023-08-19.
The timestamp will expire on 2031-11-09.

For more jarsigner options, type jarsigner -h or review the jarsigner documentation:

jarsigner Reference

Parent topic: Configuring Operating Systems for Oracle AI Database on Linux