The term packaging generically refers to the method for distributing and installing software products to systems where the products will be used. A package is a collection of files and directories in a defined format. This format conforms to the application binary interface (ABI), which is a supplement to the System V Interface Definition. The Solaris OS provides a set of utilities that interpret this format and provide the means to install a package, to remove a package, or to verify a package installation.
A patch is an accumulation of fixes for a known or potential problem within the Solaris OS or other supported software. A patch can also provide a new feature or an enhancement to a particular software release. A patch consists of files and directories that replace or update existing files and directories. Most Solaris patches are delivered as a set of sparse packages.
A sparse package contains only those objects that have been altered since the packages were first delivered as part of the Solaris distribution. Sparse packages accommodate patches that are smaller than if they were redistributed as complete packages to provide software updates. Delivering sparse packages also minimizes the changes that are made to the customer's environment. For more information about patches, see Broken Link (Target ID: SWMGRPATCHCONCEPTS-30492).
Packages can include a digital signature. A package with a valid digital signature ensures that the package has not been modified since the signature was applied to the package. Using signed packages is a secure method of downloading or adding packages because the digital signature can be verified before the package is added to your system.
The same holds true for signed patches. A patch with a valid digital signature ensures that the patch has not been modified since the signature was applied to the patch. Using signed patches is a secure method of downloading or applying patches because the digital signature can be verified before the patch is applied to your system.
For more information about applying signed patches to your system, see Broken Link (Target ID: SWMGRPATCHTASKS-14).
For information about creating signed packages, see Application Packaging Developer’s Guide.
A signed package is identical to an unsigned package, except for the digital signature. The package can be installed, queried, or removed with existing Solaris packaging tools. A signed package is also binary-compatible with an unsigned package.
Before you can use pkgadd and patchadd to add a package or patch with a digital signature to your system, you must set up a package keystore with trusted certificates. These certificates are used to identify that the digital signature on the package or patch is valid.
Access to a package keystore is protected by a special password that you specify when you import the Oracle certificates into your system's package keystore.
For instructions on using certificates to verify signed packages and patches, go to http://download.oracle.com/docs/cd/E17476_01/javase/1.4.2/docs/tooldocs/solaris/keytool.html.
The following describes the general terms associated with signed packages and patches.
A repository of certificates and keys that is queried when needed.
Java keystore – A repository of certificates that is installed by default with the Solaris release. The Java keystore is usually stored in the /usr/j2se/jre/lib/security directory.
Package keystore – A repository of certificates that you import when adding signed packages and patches to your system.
The package keystore is stored in the /var/sadm/security directory by default.
A certificate that holds a public key that belongs to another entity. The trusted certificate is named as such because the keystore owner trusts that the public key in the certificate indeed belongs to the identity identified by the subject or owner of the certificate. The issuer of the certificate vouches for this trust by signing the certificate.
Trusted certificates are used when verifying signatures, and when initiating a connection to a secure (SSL) server.
Holds sensitive cryptographic key information. This information is stored in a protected format to prevent unauthorized access. A user key consists of both the user's private key and the public key certificate that corresponds to the private key.
The process of using the pkgadd or patchadd command to add a signed package or patch to your system involves three basic steps:
Adding the certificates to your system's package keystore by using the pkgadm command.
(Optional) Listing the certificates by using the pkgadm command.
Adding the package with the pkgadd command or applying the patch by using the patchadd command.
For step-by-step instructions on applying signed patches to your system with the patchadd command, see Broken Link (Target ID: SWMGRPATCHTASKS-14).