IBM System Storage Ideas Portal


This portal is to open public enhancement requests against IBM System Storage products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Add a new idea Subscribe
Status Delivered
Workspace Storage Protect Family
Categories Product functionality
Created by Guest
Created on Mar 20, 2024

RELATED IDEAS

Provide a resource to verify PGP Keys in SW Packages (e.g. B/A Client)

The SW Packages usually contain a specific PGP key to check validity of the downloaded package. Unfortunately, these keys are changed/replaced without any announcement. By this, customers do not know if the PGP key he has is valid or manipulated. Or if an attacker used an key that was used in an official package in the past to sign a manipulated package.


It is missing an official website/resource to validate the PGP keys, to find out if it is valid/official, got replaced or got set to "expired" etc..
RedHat has an appropriate portal: https://access.redhat.com/security/team/key

Idea priority High
  • Admin
    Juan Carlos Jimenez Fuentes
    Jun 30, 2025

    https://www.ibm.com/docs/en/storage-protect/8.1.27?topic=clients-installing-storage-protect-backup-archive-unix-linux-windows

    Reply
  • Guest
    Apr 9, 2025

    Situation:
    - Package downloaded from "Index of /storage/tivoli-storage-management/maintenance/client/v8r1/Linux/LinuxX86/BA/v8125"

    - Package unpacked
    - gsk* RPMs
    - TIV* RPMs
    - rpm -import GSKit.pub4.pgp
    rpm -K gskcrypt64-XXX.linux.x86_64.rpm
    rpm -K gskssl64-XXX.linux.x86_64.rpm

    - rpm --import PRD0001289key.pub.asc
    rpm -K TIVsm-API64.x86_64.rpm
    rpm -K TIVsm-BA.x86_64.rpm

    Problem:

    - “we don't have a fingerprint / checksum for the PRD0001289key.pub.asc file.
    There is a fingerprint / checksum available for the entire SP client package,

    see at URL https://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/client/v8r1/Linux/LinuxX86/BA/v8125/” (See Case: TS018600065)

    There is only the following:
    e31a218a41a1e34dac14e91a6f5477cb911be4822fb79d16f168011cf19cbce6 8.1.25.0-TIV-TSMBAC-LinuxX86.tar

    This is the verification hash for 8.1.25.0-TIV-TSMBAC-LinuxX86.tar, which serves to complete the “download”.

    (We would have been satisfied if the HASH had been shown on a separate page. See below)

    Question and statement:
    - How can a customer be sure that the signed packages 
    via GSKit.pub4.pgp.priv / PRD0001289key (examples of possible “private keys”) are also trustworthy.

    There is currently no official page from IBM (with the exception of RedHat - https://access.redhat.com/security/team/key) on which there are references,
    which provides information about the following facts.

    - Field of application of a key, e.g. for signing gsk* / TIV* packages.
    - Display of the public key.
    - Display of a hash value for checking the public key.
    - Information regarding changes / revocation / blocking of a key.

    Without meaningful information regarding the key(s), it is possible to manipulate the delivered software or the software provided for delivery at any time. 

    Thanks for reviewing the idea.

    Best wishes
    Roland

    Reply

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.