Starting with AIX 7.3 TL1, there is a new procedure for AIX Trusted Installation that replaces the Digital Signature Catalog (DSC) procedure. With the new procedure, the digital signature of a fileset is appended directly at the end of the fileset file in the form of a Digital Signature Block (DSB). This greatly simplifies Trusted Installation, as the signature no longer needs to be stored in the DSC.
In addition to the digital signature, the DSB also contains the path to a public key that must be used for verification (see The Digital Signature Block). The beginning and end of the block are marked with the string “INUTUEYE“, the so-called DSB eye catcher. This allows the installation process to detect the presence of a DSB at the end of a fileset file.
The process for verifying a digital signature for a fileset is described in detail here: Verifying the digital signature of a fileset (DSB). Essentially, the new dsblkchk command is used, which performs the actual verification.
If a fileset does not have a DSB, the old procedure with DSC is used.
The new process also allows you to sign your own file sets with minimal effort. A detailed description of the necessary steps can be found here: Digital signature for a self created file set (DSB) .
Note: Unfortunately, this procedure is not yet well documented by IBM. There is a manual page for the dsblkgen command (generating a DSB) and the shell script dsblkchk, whose code is available for viewing. We gained all further insights using truss.