>If the signature is stored alongside the GIMZIP they could simply alter both.
Yep, they could, but they would have about a one in a zillion chance of doing so successfully. You would need the private key of the signer to get it right. The digital signature is a hash of the software, encrypted with the signer's private key. The hash algorithms are such that it is nearly impossible to change the software but keep the same hash, and with a different hash you need to have that private key to be able to make a signature that will decrypt with the relevant well-known public key. > which you trust more, DigiCert or your RACF The trustworthiness of CAs is one of the weakest parts of PKI and TLS. Nothing against DigiCert -- they are fine folks, and I am sure have a robust security program -- but CA's *have* been hacked with malicious effect. https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates Charles On Tue, 16 May 2023 13:31:39 -0500, Paul Gilmartin <paulgboul...@aol.com> wrote: >On Tue, 16 May 2023 13:04:44 -0500, Charles Mills wrote: > >>Correct me if I am wrong, but my impression is that signing the package >>protects (among other things) against the scenario in which one of your >>associates, who let us assume is a bad guy, makes a zap-type modification to >>the package after you download it and before you install it, thereby >>compromising the integrity of your z/OS. Obviously, security for the download >>will not protect against that, but package signing will. >> >OK. Verifying the signature at the point of RECEIVE FROMNTS protects against >(fe)malefactors' compromising the GIMZIP between download and RECEIVE. >If the signature is stored alongside the GIMZIP they could simply alter both. > >And the SMPPTS must be protected until APPLY/ACCEPT, and the Target and >DLIBs indefinitely. > >Some of this depends on which you trust more, DigiCert or your RACF >configuration. >SMPNTS is a zFS hierarchy. How vulnerable is that? > >-- >gil > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
