This chapter describes how to add, verify, and remove software packages by using the package commands.
For information on the procedures associated with performing these tasks, see:
Adding and Removing Signed Packages by Using the pkgadd Command (Task Map)
Managing Software Packages by Using Package Commands (Task Map)
The following task map describes software management tasks that you can perform with signed package commands.
Task |
Description |
For Instructions |
---|---|---|
Import a certificate. |
You can import a trusted certificate by using the pkgadm addcert command. |
How to Import a Trusted Certificate From the Java Keystore (pkgadm addcert) |
Print the details of one or more certificates. |
You can print the details of a certificate by using the pkgadm listcert command. | |
Remove a certificate. |
You can remove a certificate by using the pkgadm removecert command. | |
Set up a proxy server. |
Use this procedures for systems that are set up behind a firewall with a proxy. | |
Add a signed package. |
After the root certificate is imported, you can add a signed package by using he pkgadd command. |
The following procedures explain how to add and remove signed packages by using the pkgadd command.
Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Verify that the root certificate authority (CA) certificate exists in the Java TM keystore.
# keytool -storepass storepass -list -keystore certfile |
Manages a Java keystore (database) of private keys and their associated X.509 certificate chains that authenticate the corresponding public keys. Also manages certificates from trusted entities. For more information on the keytool utility, see keytool-Key and Certificate Management Tool.
Specifies the password that protects the integrity of the keystore.
By default, prints the MD5 fingerprint of a certificate.
Specifies the name and location of the persistent keystore file.
Export the root CA certificate from the Java keystore to a temporary file.
# keytool -export -storepass storepass -alias verisignclass2g2ca -keystore /usr/java/jre/lib/security/cacerts certfile -file filename |
Exports the trusted certificate.
Specifies the password that protects the integrity of the Java keystore.
Identifies the alias of the trusted certificate.
Specifies the name and location of the keystore file.
Identifies the file to hold the exported certificate.
Import a trusted certificate to the package keystore.
# pkgadm addcert -t -f format certfile |
Indicates that the certificate is a trusted CA certificate. The output includes the details of the certificate, which the user is asked to verify.
Specifies the format of certificates and private keys. When you import a certificate, it must be encoded using PEM or binary DER format.
Specifies the file that contains the certificate.
Remove the temporary file.
# rm /tmp/file-name |
For more information, see the pkgadm(1M) man page.
The following example shows how to import a trusted certificate. In this example, Sun's root CA certificate is imported from the Java keystore into the package keystore by using the keytool command.
# keytool -export -storepass changeit -alias verisignclass2g2ca \ -keystore /usr/java/jre/lib/security/cacerts -file /tmp/root.crt Certificate stored in file </tmp/root.crt> |
# pkgadm addcert -t -f der /tmp/root.crt Keystore Alias: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O Certificate Type: Trusted Certificate Issuer Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O Validity Dates: <May 18 00:00:00 1998 GMT> - <Aug 1 23:59:59 2028 GMT> MD5 Fingerprint: 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1 SHA1 Fingerprint: B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D Are you sure you want to trust this certificate? yes Trusting certificate </C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O> Type a Keystore protection Password. xxxxxx Press ENTER for no protection password (not recommended): For Verification: Type a Keystore protection Password. Press ENTER for no protection password (not recommended): Certificate(s) from </tmp/root.crt> are now trusted |
Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Display the contents of the package keystore.
# pkgadm listcert -p passarg |
The following example shows how to display the details of a locally stored certificate.
# pkgadm listcert -P pass:test123 Keystore Alias: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O Certificate Type: Trusted Certificate Issuer Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O Validity Dates: <May 18 00:00:00 1998 GMT> - <Aug 1 23:59:59 2028 GMT> MD5 Fingerprint: 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1 SHA1 Fingerprint: B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D |
Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Remove the trusted certificate from the package keystore.
# pkgadm removecert -n "certfile" |
The removecert -n “certfile” option specifies the alias of the user certificate/key pair or the alias of the trusted certificate.
View the alias names for certificates by using the pkgadm listcert command.
The following example shows how to remove a certificate.
# pkgadm listcert Keystore Alias: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O Certificate Type: Trusted Certificate Issuer Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O Validity Dates: <May 18 00:00:00 1998 GMT> - <Aug 1 23:59:59 2028 GMT> MD5 Fingerprint: 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1 SHA1 Fingerprint: B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D # pkgadm removecert -n "/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O" Enter Keystore Password: storepass Successfully removed Certificate(s) with alias \ </C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O> |
If your system is behind a firewall with a proxy, you will need to set up a proxy server before you can add a package from an HTTP server by using the pkgadd command.
Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Select one of the following methods to specify a proxy server.
Specify the proxy server by using the http_proxy, HTTPPROXY, or HTTPPROXYPORT environment variable.
For example:
# setenv http_proxy http://mycache.domain:8080 |
Or, specify one of the following:
# setenv HTTPPROXY mycache.domain # setenv HTTPPROXYPORT 8080 |
Specify the proxy server on the pkgadd command line.
For example:
# pkgadd -x mycache.domain:8080 -d http://myserver.com/pkg SUNWpkg |
Create an administration file that includes proxy server information.
For example:
# cat /tmp/admin mail= instance=unique partial=ask runlevel=ask idepend=ask rdepend=ask space=ask setuid=ask conflict=ask action=ask networktimeout=60 networkretries=3 authentication=quit keystore=/var/sadm/security basedir=default proxy=mycache.domain:8080 |
Then, identify the administration file by using the pkgadd -a command. For example:
# pkgadd -a /tmp/admin -d http://myserver.com/pkg SUNWpkg |
This procedure assumes that you have imported Sun's root CA certificate. For more information, see How to Import a Trusted Certificate From the Java Keystore (pkgadm addcert).
Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Add a signed package.
# pkgadd -d /pathname/device-name |
The -d device-name option specifies the device from which the package is installed. The device can be a directory, tape, diskette, or removable disk. The device can also be a data stream created by the pkgtrans command.
The following example shows how to add a signed package that is stored on the system.
# # pkgadd -d /tmp/signed_pppd The following packages are available: 1 SUNWpppd Solaris PPP Device Drivers (sparc) 11.10.0,REV=2003.05.08.12.24 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: all Enter keystore password: ## Verifying signature for signer <User Cert 0> . . . |
The following example shows how to install a signed package using an HTTP URL as the device name. The URL must point to a stream-formatted package.
# pkgadd -d http://install/signed-video.pkg ## Downloading... ..............25%..............50%..............75%..............100% ## Download Complete . . . |
The following task map describes the software management tasks that you can perform with the package commands for both signed and unsigned packages.
Task |
Description |
For Instructions |
---|---|---|
Add software packages to the local system. |
You can add software packages to the local system by using the pkgadd command. | |
Add software packages to a spool directory. |
You can add software packages to a spool directory without actually installing the software. | |
List information about all installed software packages. |
You can list information about installed packages by using the pkginfo command. |
How to List Information About All Installed Packages (pkginfo) |
Check the integrity of installed software packages. |
You can verify the integrity of installed software packages by using the pkgchk command. |
How to Check the Integrity of Installed Software Packages (pkgchk) |
Check the integrity of an installed object. |
You can verify the integrity of an installed object by using the pkchk command with the -p and -P options. The -p option specifies the full path name. The new -P option specifies a partial path name. |
How to Check the Integrity of Installed Objects (pkgchk -p, pkgchk -P) |
Remove software packages. |
You can remove unneeded software packages by using the pkgrm command. |
The following procedures explain how to manage software packages by using package commands.
Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Remove any already installed packages with the same names as the packages you are adding.
This step ensures that the system keeps a proper record of software that has been added and removed. Sometimes, you might want to maintain multiple versions of the same application on the system. For strategies on maintaining multiple software copies, see Guidelines for Removing Packages (pkgrm). For task information, see How to Remove Software Packages (pkgrm).
Add a software package to the system.
# pkgadd -a admin-file -d device-name pkgid ... |
(Optional) Specifies an administration file that the pkgadd command should check during the installation. For details about using an administration file, see Using an Administration File.
Specifies the absolute path to the software packages. device-name can be the path to a device, a directory, or a spool directory. If you do not specify the path where the package resides, the pkgadd command checks the default spool directory (/var/spool/pkg). If the package is not there, the package installation fails.
(Optional) Is the name of one or more packages, separated by spaces, to be installed. If omitted, the pkgadd command installs all available packages from the specified device, directory, or spool directory.
If the pkgadd command encounters a problem during installation of the package, it displays a message related to the problem, followed by this prompt:
Do you want to continue with this installation? |
Respond with yes, no, or quit. If more than one package has been specified, type no to stop the installation of the package being installed. The pkgadd command continues to install the other packages. Type quit to stop the installation.
Verify that the package has been installed successfully.
# pkgchk -v pkgid |
If no errors occur, a list of installed files is returned. Otherwise, the pkgchk command reports the error.
The following example shows how install the SUNWpl5u package from a mounted Solaris 10 CD. The example also shows how to verify that the package files were installed properly.
# pkgadd -d /media/Solaris_11/Product SUNWpl5u . . . Installation of <SUNWpl5u> was successful. # pkgchk -v SUNWpl5u /usr /usr/bin /usr/bin/perl /usr/perl5 /usr/perl5/5.8.4 . . . |
If the packages you want to install are available from a remote system, you can manually mount the directory that contains the packages (in package format) and install packages on the local system.
The following example shows how to install software packages from a remote system. In this example, assume that the remote system named package-server has software packages in the /latest-packages directory. The mount command mounts the packages locally on /mnt. The pkgadd command installs the SUNWpl5u package.
# mount -F nfs -o ro package-server:/latest-packages /mnt # pkgadd -d /mnt SUNWpl5u . . . Installation of <SUNWpl5u> was successful. |
If the automounter is running at your site, you do not need to mount the remote package server manually. Instead, use the automounter path, in this case, /net/package-server/latest-packages, as the argument to the -d option.
# pkgadd -d /net/package-server/latest-packages SUNWpl5u . . . Installation of <SUNWpl5u> was successful. |
This example is similar to the previous example, except that it uses the -a option and specifies an administration file named noask-pkgadd, which is illustrated in Avoiding User Interaction When Adding Packages (pkgadd). In this example, assume that the noask-pkgadd administration file is in the default location, /var/sadm/install/admin.
# pkgadd -a noask-pkgadd -d /net/package-server/latest-packages SUNWpl5u . . . Installation of <SUNWpl5u> was successful. |
The following example shows how to install a package using an HTTP URL as the device name. The URL must point to a stream-formatted package.
# pkgadd -d http://install/xf86-4.3.0-video.pkg ## Downloading... ..............25%..............50%..............75%..............100% ## Download Complete The following packages are available: 1 SUNWxf86r XFree86 Driver Porting Kit (Root) (i386) 4.3.0,REV=0.2003.02.28 2 SUNWxf86u XFree86 Driver Porting Kit (User) (i386) 4.3.0,REV=0.2003.02.28 . . . |
For convenience, you can copy frequently installed packages to a spool directory. If you copy packages to the default spool directory, /var/spool/pkg, you do not need to specify the source location of the package (-d device-name argument) when you use the pkgadd command. The pkgadd command, by default, checks the /var/spool/pkg directory for any packages that are specified on the command line. Note that copying packages to a spool directory is not the same as installing the packages on a system.
Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Remove any already spooled packages with the same names as the packages you are adding.
For information on removing spooled packages, see Example 20–20.
Add a software package to a spool directory.
# pkgadd -d device-name -s spooldir pkgid ... |
Specifies the absolute path to the software packages. device-name can be the path to a device, a directory, or a spool directory.
Specifies the name of the spool directory where the package will be spooled. You must specify a spooldir.
(Optional) Is the name of one or more packages, separated by spaces, to be added to the spool directory. If omitted, the pkgadd command copies all available packages.
Verify that the package has been copied successfully to the spool directory.
$ pkginfo -d spooldir| grep pkgid |
If pkgid was copied correctly, the pkginfo command returns a line of information about the pkgid. Otherwise, the pkginfo command returns the system prompt.
The following example shows how to transfer the SUNWman package from a mounted SPARC based Solaris 10 CD to the default spool directory (/var/spool/pkg).
# pkgadd -d /media/Solaris_11/Product -s /var/spool/pkg SUNWman Transferring <SUNWman> package instance |
If packages you want to copy are available from a remote system, you can manually mount the directory that contains the packages, in package format, and copy them to a local spool directory.
The following example shows the commands for this scenario. In this example, assume that the remote system named package-server has software packages in the /latest-packages directory. The mount command mounts the package directory locally on /mnt. The pkgadd command copies the SUNWpl5p package from /mnt to the default spool directory (/var/spool/pkg).
# mount -F nfs -o ro package-server:/latest-packages /mnt # pkgadd -d /mnt -s /var/spool/pkg SUNWpl5p Transferring <SUNWpl5p> package instance |
If the automounter is running at your site, you do not have to mount the remote package server manually. Instead, use the automounter path, in this case, /net/package-server/latest-packages, as the argument to the -d option.
# pkgadd -d /net/package-server/latest-packages -s /var/spool/pkg SUNWpl5p Transferring <SUNWpl5p> package instance |
The following example shows how to install the SUNWpl5p package from the default spool directory. When no options are used, the pkgadd command searches the /var/spool/pkg directory for the named packages.
# pkgadd SUNWpl5p . . . Installation of <SUNWpl5p> was successful. |
This example shows how to list all packages installed on a local system, whether that system is a stand-alone system or a server. The output shows the primary category, package name, and the description of the package.
$ pkginfo system SUNWaccr System Accounting, (Root) system SUNWaccu System Accounting, (Usr) system SUNWadmap System administration applications system SUNWadmc System administration core libraries . . . |
This example shows how to list all packages installed on a system by specifying the long format, which includes all available information about the designated packages.
$ pkginfo -l SUNWcar PKGINST: SUNWcar NAME: Core Architecture, (Root) CATEGORY: system ARCH: sparc.sun4u VERSION: 11.9.0,REV=2002.04.06.15.27 BASEDIR: / VENDOR: Sun Microsystems, Inc. DESC: core software for a specific hardware platform group PSTAMP: leo20031003183400 INSTDATE: Feb 20 2004 16:57 HOTLINE: Please contact your local service provider STATUS: completely installed FILES: 114 installed pathnames 36 shared pathnames 40 directories 57 executables 21469 blocks used (approx) |
Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Check the status of an installed package.
To check the file attributes and contents, type the following:
# pkgchk -a| -c -v pkgid ... |
To specify the absolute path of the spool directory, type the following:
# pkgchk -d spooldir pkgid ... |
Specifies to audit only the file attributes (the permissions), rather than the file attributes and the contents, which is the default.
Specifies to audit only the file contents, rather than the file contents and attributes, which is the default.
Specifies verbose mode, which displays file names as they are processed.
Specifies the absolute path of the spool directory.
(Optional) Is the name of one or more packages, separated by spaces. If you do not specify a pkgid, all the software packages installed on the system are checked.
The following example shows how to check the contents of a package.
# pkgchk -c SUNWbash |
If no errors occur, the system prompt is returned. Otherwise, the pkgck command reports the error.
The following example shows how to check the file attributes of a package.
# pkgchk -a SUNWbash |
If no errors occur, the system prompt is returned. Otherwise, the pkgck command reports the error.
The following example shows how to check a software package that was copied to a spool directory (/export/install/packages).
# pkgchk -d /export/install/packages ## checking spooled package <SUNWadmap> ## checking spooled package <SUNWadmfw> ## checking spooled package <SUNWadmc> ## checking spooled package <SUNWsadml> |
The checks made on a spooled package are limited because not all information can be audited until a package is installed.
This procedure explains how to use the pkgchk command to check the integrity of installed objects. The new -P option enables you to specify a partial path. This option has been added to assist you in mapping files to packages. Use this option with the -l option to list the information about the files that contain the partial path. Use the -p option to check the integrity of installed objects by specifying the full path. For more information, see the pkgchk(1M) man page.
Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Check the integrity of an installed object.
To verify the integrity of an installed object for a full path name or path names, type the following:
# pkgchk -lp path-name |
To verify the integrity of an installed object for a partial-path name or path names, type the following:
# pkgchk -lP partial-path-name |
Checks the accuracy only of the path name or path names that are listed. Path can be one or more path names separated by commas. Specifies to audit only the file attributes (the permissions), rather than the file attributes and the contents, which is the default.
Checks the accuracy of only the partial path name or path names that are listed. The partial-path can be one or more partial path names separated by commas. Matches any path name that contains the string contained in the partial path. Specifies to audit only the file contents, rather than the file contents and attributes, which is the default.
Lists information about the selected files that make up a package. This option is not compatible with the -a, -c, -f, -g, and -v options. Specifies verbose mode, which displays file names as they are processed.
This example shows you how to use the pkgchk -lp command to check the contents/attributes of an object on a file system by a specifying the full path name. The -l option lists information on the selected files that make up a package.
# pkgchk -lp /usr/sbin/pkgadd Pathname: /usr/sbin/pkgadd Type: regular file Expected mode: 0555 Expected owner: root Expected group: sys Expected file size (bytes): 867152 Expected sum(1) of contents: 45580 Expected last modification: Jul 02 02:20:34 2004 Referenced by the following packages: SUNWpkgcmdsu Current status: installed |
This example shows you how to use the pkgchk -lP command to check the contents/attributes of an object on a file system by a specifying a partial path name, such as a file or directory name. The -l option lists information on the selected files that make up a package.
# pkgchk -lP /sbin/pkgadd Pathname: /usr/sbin/pkgadd Type: regular file Expected mode: 0555 Expected owner: root Expected group: sys Expected file size (bytes): 867152 Expected sum(1) of contents: 45580 Expected last modification: Jul 02 02:20:34 2004 Referenced by the following packages: SUNWpkgcmdsu Current status: installed Pathname: /usr/sbin/pkgask Type: linked file Source of link: ../../usr/sbin/pkgadd Referenced by the following packages: SUNWpkgcmdsu Current status: installed |
To remove or uninstall a software package, use the associated tool that you used to add or install a software package. For example, if you used the Solaris installation GUI to install software, use the Solaris installation GUI to uninstall software.
Do no use the rm command to remove software packages. Doing so will result in inaccuracies in the database that keeps track of all installed packages on the system.
Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Remove an installed package.
# pkgrm pkgid ... |
pkgid identifies the name of one or more packages, separated by spaces, to be removed. If omitted, the pkgrmcommand removes all available packages.
This example shows how to remove a package.
# pkgrm SUNWctu The following package is currently installed: SUNWctu Netra ct usr/platform links (64-bit) (sparc.sun4u) 11.9.0,REV=2001.07.24.15.53 Do you want to remove this package? y ## Removing installed package instance <SUNWctu> ## Verifying package dependencies. ## Processing package information. ## Removing pathnames in class <none> . . . |
This example shows how to remove a spooled package.
# pkgrm -s /export/pkg SUNWaudh The following package is currently spooled: SUNWaudh Audio Header Files (sparc) 11.10.0,REV=2003.08.08.00.03 Do you want to remove this package? y Removing spooled package instance <SUNWaudh> |