Sign of the times

 


As of today, every product order coming from Shopz (z/OSMF portable software instance or CBPDO, electronic or DVD) is being signed!

If you've read my prior post  Can I have your autograph please? you were aware that SMP/E and z/OSMF Software Management have the compatible capability to sign packages coming from a software vendor.  This capability was designed for nonrepudiation and authenticity, and can ensure the software package you receive from a vendor has not been modified since it was created.

Today, I ordered a small z/OSMF portable software instance (ServerPac) from Shopz.  I happened to choose the Java SDK 11 "Semeru" package (5655-DGJ), since I was already entitled to it and knew it could be manufactured very quickly.  It arrived in short time, and so I had fun verifying the signature on this product package.

It really could not have been easier, once I had my keyring set up which I described in the prior post.  Here's the simple 1-2-3 screen shots, and the output I saw from my test. No kidding, it took me less than 15 minutes to do these 3 steps. 

1.  I simply indicated that I wanted to verify the signature and provided my keyring (which I described how to set up in my prior post):


2.  I ran the produced JCL, in which I could see that z/OSMF had indicated I wanted to verify the signature on the incoming package:


...and looked at the beautiful output:



3.  I completed the Add of the Portable Software Instance.  Then, for one last visual later to confirm it was signed (from Actions -> View):


Done!

What's up next for IBM and package signing?  PTFs and HOLDDATA, for SMP/E RECEIVE ORDER and electronic Shopz PTFs!  Stay tuned for that delivery.  Also stay tuned, as I'm hoping that other software vendors will exploit this function and make announcements accordingly.





Comments