If you've read my prior post Can I have your autograph please? you were aware that SMP/E and z/OSMF Software Management have the compatible capability to sign packages coming from a software vendor. This capability was designed for nonrepudiation and authenticity, and can ensure the software package you receive from a vendor has not been modified since it was created.
Today, I ordered a small z/OSMF portable software instance (ServerPac) from Shopz. I happened to choose the Java SDK 11 "Semeru" package (5655-DGJ), since I was already entitled to it and knew it could be manufactured very quickly. It arrived in short time, and so I had fun verifying the signature on this product package.
It really could not have been easier, once I had my keyring set up which I described in the prior post. Here's the simple 1-2-3 screen shots, and the output I saw from my test. No kidding, it took me less than 15 minutes to do these 3 steps.