Security
Verify your downloads and report security issues
Why Verify Downloads?
Verifying downloads ensures that the software you received is exactly what was published, and hasn't been tampered with or corrupted during transfer. IM3270 releases include:
- SHA256 checksums (
SHA256SUMS) to detect file corruption or modification - GPG signatures (
SHA256SUMS.asc) to verify the checksums were created by Infomanta
Quick Verification
After downloading IM3270 and the SHA256SUMS file from the same release:
sha256sum -c SHA256SUMS
You should see OK next to each file you downloaded. This confirms the files match what was published.
Full GPG Verification
For stronger assurance, verify the GPG signature on the checksums file. This confirms the checksums were signed by the official IM3270 release key.
Import the IM3270 public key (one-time):
gpg --import im3270-release.asc
Download the key from the Public Key section below, or from the tar.gz bundle.
Verify the GPG signature:
gpg --verify SHA256SUMS.asc SHA256SUMS
Look for Good signature from "IM3270 Release Signing Key" in the output.
Verify file checksums:
sha256sum -c SHA256SUMS
Note: You may see a "WARNING: This key is not certified with a trusted signature" message. This is normal for keys not in a web of trust. Verify the key fingerprint matches the one shown below.
Public Key
The IM3270 Release Signing Key is used to sign all release artifacts.
IM3270 Release Signing Key
Type: RSA 4096-bit
Fingerprint: 4E7E EAFA 0DA1 939E F2A6 29CF 71D3 41D3 1DEF 7FFA
Email: support@infomanta.com
Usage: Release artifact signing
Download: im3270-release.asc
After importing the key, verify the fingerprint matches:
gpg --fingerprint "IM3270 Release Signing Key" # Expected output should contain: # 4E7E EAFA 0DA1 939E F2A6 29CF 71D3 41D3 1DEF 7FFA
Tip: The public key is also included in the Linux tar.gz installation bundle for convenience.
Linux Bundle Verification
The Linux tar.gz installation bundle includes a SHA256SUMS file with the AppImage checksum. The installer automatically verifies the AppImage integrity before installation.
To manually verify after extracting:
cd im3270-*-linux sha256sum -c SHA256SUMS
Windows Verification
Windows users can verify downloads using PowerShell:
# Get the SHA256 hash of the downloaded file Get-FileHash "IM3270 Setup 0.44.0.exe" -Algorithm SHA256 # Compare with the hash in SHA256SUMS
Or using 7-Zip File Manager (right-click → CRC SHA → SHA-256).
Package Signing
The same GPG key used for release signing will be used to sign future RPM and DEB packages:
- RPM packages will be signed with
rpmsign— verify withrpm -K im3270-*.rpm - DEB packages will be signed with
dpkg-sig— verify withdpkg-sig --verify im3270_*.deb
When RPM/DEB packages are available, installation via package managers (dnf, apt) will automatically verify signatures if the repository key is imported.
Reporting Security Issues
If you discover a security vulnerability in IM3270, please report it responsibly:
- Email: security@infomanta.com
- General support: support@infomanta.com
Please do not disclose security vulnerabilities publicly until a fix is available.