Verifying Digital Signature and Integrity of Installation Archive Files
Starting with Oracle Database 23ai, Oracle digitally signs the installation archive files with Oracle certificates to ensure the integrity of the packages before you deploy them in your environments.
jarsigner
to verify the integrity of your Oracle Database, Oracle Database Client, Oracle Grid Infrastructure, Oracle Examples, Oracle Gateways, or Oracle GSM installation archive files. You can verify the integrity of the installation archive files before you extract the installation files.
Quick Verification
To quickly verify the installation archive files, use the jarsigner
command with the -verify
option:
- Go to the directory where you have downloaded the installation archive files.
-
Run this command to check your installation archive file:
jarsigner -verify installation_archive_file
For example, to check the Oracle Database gold image:
jarsigner -verify db_home.zip
jar verified.
Detailed Certificate Information
If you want detailed certificate information, then use the -verbose:summary
and -certs
along with the -verify
option.
- Go to the directory where you have downloaded the installation archive files.
-
Run this command to check your installation archive file:
jarsigner -verify -verbose:summary -certs installation_archive_file
For example, to check the Oracle Database gold image:
jarsigner -verify -verbose:summary -certs db_home.zip
The output is similar to the following:
2237119 Fri Feb 17 07:02:30 UTC 2023 META-INF/MANIFEST.MF >>> Signer X.509, CN="Oracle America, Inc.", O="Oracle America, Inc.", L=Redwood City, ST=California, C=US [ Signature algorithm: SHA256withRSA, 3072-bit key [certificate is valid from 8/19/21 12:00 AM to 8/19/23 11:59 PM] X.509, CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US [ Signature algorithm: SHA384withRSA, 4096-bit key [certificate is valid from 4/29/21 12:00 AM to 4/28/36 11:59 PM] X.509, CN=DigiCert Trusted Root G4, O=DigiCert Inc, C=US [ Signature algorithm: SHA384withRSA, 4096-bit key [trusted certificate] >>> TSA X.509, CN=DigiCert Timestamp 2022 - 2, O=DigiCert, C=US [ Signature algorithm: SHA256withRSA, 4096-bit key [certificate is valid from 9/21/22 12:00 AM to 11/21/33 11:59 PM] X.509, CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA, O="DigiCert, Inc.", C=US [ Signature algorithm: SHA256withRSA, 4096-bit key [certificate is valid from 3/23/22 12:00 AM to 3/22/37 11:59 PM] X.509, CN=DigiCert Trusted Root G4, O=DigiCert Inc, C=US [ Signature algorithm: SHA384withRSA, 4096-bit key [certificate is valid from 8/1/22 12:00 AM to 11/9/31 11:59 PM] 2237281 Fri Feb 17 07:02:32 UTC 2023 META-INF/ORACLE_C.SF (and 1 more) (Signature related entries) 0 Fri Feb 17 05:41:24 UTC 2023 OPatch/ (and 1897 more) (Directory entries) 2977 Tue Dec 20 08:02:16 UTC 2022 OPatch/README.txt (and 20199 more) [entry was signed on 2/17/23 7:02 AM] >>> Signer X.509, CN="Oracle America, Inc.", O="Oracle America, Inc.", L=Redwood City, ST=California, C=US [ Signature algorithm: SHA256withRSA, 3072-bit key [certificate is valid from 8/19/21 12:00 AM to 8/19/23 11:59 PM] X.509, CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US [ Signature algorithm: SHA384withRSA, 4096-bit key [certificate is valid from 4/29/21 12:00 AM to 4/28/36 11:59 PM] X.509, CN=DigiCert Trusted Root G4, O=DigiCert Inc, C=US [ Signature algorithm: SHA384withRSA, 4096-bit key [trusted certificate] >>> TSA X.509, CN=DigiCert Timestamp 2022 - 2, O=DigiCert, C=US [ Signature algorithm: SHA256withRSA, 4096-bit key [certificate is valid from 9/21/22 12:00 AM to 11/21/33 11:59 PM] X.509, CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA, O="DigiCert, Inc.", C=US [ Signature algorithm: SHA256withRSA, 4096-bit key [certificate is valid from 3/23/22 12:00 AM to 3/22/37 11:59 PM] X.509, CN=DigiCert Trusted Root G4, O=DigiCert Inc, C=US [ Signature algorithm: SHA384withRSA, 4096-bit key [certificate is valid from 8/1/22 12:00 AM to 11/9/31 11:59 PM] s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope - Signed by "CN="Oracle America, Inc.", O="Oracle America, Inc.", L=Redwood City, ST=California, C=US" Digest algorithm: SHA-256 Signature algorithm: SHA256withRSA, 3072-bit key Timestamped by "CN=DigiCert Timestamp 2022 - 2, O=DigiCert, C=US" on Fri Feb 17 07:02:33 UTC 2023 Timestamp digest algorithm: SHA-256 Timestamp signature algorithm: SHA256withRSA, 4096-bit key jar verified. The signer certificate will expire on 2023-08-19. The timestamp will expire on 2031-11-09.
For more jarsigner
options, type jarsigner -h
or review the jarsigner
documentation: