Verifying IBM downloads using XSLTPROC

I often download updates from IBM FixCentral using FTPS/SFTP instead of IBM's Download Director. It's just easier to do on a NIM server rather than my laptop or customer desktop. Unfortunately it makes it difficult to validate the checksums of the downloads.

IBM doesn't typically publish a simple text file of checksums with any of their POWER or AIX downloads. They do include an XML file for Download Director.

They do make an attempt to allow customers to validate the download using that XML file in VIO downloads by providing a file called ck_sum.bff. The customer is instructed to execute ck_sum.bff against the directory of downloads to confirm the downloads.

This raises many red flags for me for violating security best practices. I should never execute untrusted code from any source on my systems! The typical place this would run is on a NIM system or AIX box as root! I strongly advise against using this method.

Given IBM does have the checksums in an XML file, we can extract them for validation without using untrusted code. I accomplished this on a Linux box with XSLTPROC, but I believe this tool may be available for AIX as well.

We need to use the following XSLT file to convert IBM's XML to a table we can use.

SDD.xslt (Source)

<!-- Credit to Liam Quin of DelightfulComputing.com for the help on Freenode's #xml -->

<xsl:stylesheet
  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
  version="1.0"
  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
  xmlns:sdd-common="http://docs.oasis-open.org/sdd/ns/common"
  xmlns:sdd-pd="http://docs.oasis-open.org/sdd/ns/packageDescriptor"
  xmlns:sdd-um="http://w3.ibm.com/xmlns/b2b/b2b/sdd/um/nsr_w3_b2b_b2b_sdd_um_0100.xml"
  >

  <xsl:output method="text" /> <!--* don't want XML declaration *-->

  <xsl:template match="*"><xsl:apply-templates select="*"/></xsl:template>

  <xsl:template match="*[local-name(.)='Content'][ds:DigestValue]">
      <xsl:value-of select="ds:DigestValue"/>
      <xsl:text>  </xsl:text>
      <xsl:value-of select="@pathname"/>
      <xsl:text>&#xa;</xsl:text>
   </xsl:template>

</xsl:stylesheet>

Save this away, I put it in ~scripts/SDD.xslt.

We can then execute this XML transformation document against IBM's .pd.sdd files.

% xsltproc ~/scripts/SDD.xslt *.pd.sdd
c96248c5131787e08451ce92f97ea6d4b650402dfd4bdf24ee4c87b6a333b92d  ck_sum.bff
f95ec2d4024053db1d83ba98fca73847c68681dfd808b8bd0ccc712262ee604b  VIOS_SP_3.1.0.21.bff
ac9c0d5b7a88d9d91bd5d4074ee2b861686c00bef0c35ceceacda30c9f08a250  Java8_64.jre__1_8.0.0.526.bff
79470e6787602b1e810703ba028d514f38ef6d99e1a4cf0fe010ccbc389a3700  Java8_64.sdk__1_8.0.0.526.bff
87d1175a051ba050f6466d1fa82469c93753331fef2ae474dc09cda22b9595f0  U877265.bff
5f5cf575cc82212208fd1f068818a52251d55f91f5710fd58f75d79a58a85aaa  U877266.bff
5fff5bdaaa158a20f46a400e633a383d290e1d43cd6dfe0072ca352468795ba6  U877269.bff
a4c092017a660b137fd7ebb6ddc9ae3de76b8297a5ea48a4016651a519573e24  U880057.bff
54d5ef553e49eaf1a80585bdc12db7b5ad29ac7434759abe7830ad63c9dcd2c4  U882614.bff
d4a77a25a7d85fb860a4601b03ba8df3492550398378d8714c45ee612945cca6  U882619.bff
...

That matches the output from sha256sum! In fact, we can feed that directly to sha256sum:

% xsltproc ~/scripts/SDD.xslt *.pd.sdd | sha256sum -c -
ck_sum.bff: OK
VIOS_SP_3.1.0.21.bff: OK
Java8_64.jre__1_8.0.0.526.bff: OK
Java8_64.sdk__1_8.0.0.526.bff: OK
U877265.bff: OK
U877266.bff: OK
U877269.bff: OK
U880057.bff: OK
U882614.bff: OK
U882619.bff: OK
...

So now we can validate our downloads from IBM without the GUI Download Director or running untrusted code on our system.

Thanks again to Liam Quin of http://DelightfulComputing.com/ for his assistance on Freenode's #xml channel! This will be a real timesaver!