What Is a Patch?

A patch is a collection of files and directories that replace or update existing files and directories that are preventing proper execution of the existing software. The existing software is derived from a specified package format, which conforms to the Application Binary Interface. For details about packages, see Chapter 22, Managing Software (Overview).

What Is a Signed Patch?

A signed patch is a patch with a digital signature. A patch with a valid digital signature ensures that the patch has not been modified since the signature was applied to the patch. Using signed patches is a more secure method of downloading or adding patches because the patches include a digital signature that can be verified before the patch is added to your system.

Patches that are available for the Solaris 2.6, 7, 8, and 9 releases include a digital signature. Patches without a digital signature, or unsigned patches, are also available, but eventually, all patches will be signed patches. A valid digital signature ensures that the patch has not been modified since the signature was applied.

Signed patches are stored in Java archive format (JAR) files and are available from the SunSolve Online^SM web site.

Using Sun's Certificates to Verify Signed Patches

Digital certificates, issued and authenticated by Sun Microsystems, are used to verify that the downloaded patch archive with the digital signature has not been compromised. These certificates are imported into your system's keystore. A keystore is a protected database that stores the keys and certificates from Sun. The keytool command is used to import the certificates into your system's keystore. For information on using the keytool command, see How to Import Sun Certificates Into the Keystore.

Access to a keystore is protected by a special password that you specify when you import the Sun certificates into your system's keystore.

The SUNWcert package contains Sun's certificate authority (CA) that you need to verify a patch's signatures. You can obtain the SUNWcert package from the following methods:

• For Solaris 2.6, 7, and 8 releases – The SUNWcert package is automatically installed when you download and install the Solaris 2.6, 7, or 8 patch management tools.

• For Solaris 9 releases – The SUNWcert package is automatically installed when you download and install the Solaris 9 patch management tools.

• Download from one of the following secure sites:

  • https://uk.sunsolve.sun.com/SUNWcert/

  • https://de.sunsolve.sun.com/SUNWcert/

  • https://se.sunsolve.sun.com/SUNWcert/

  • https://ch.sunsolve.sun.com/SUNWcert/

  • https://fr.sunsolve.sun.com/SUNWcert/

  • https://sunsolve.sun.com/SUNWcert/

  • https://sunsolve.sun.co.jp/SUNWcert/

You can verify that the certificates in the SUNWcert package match the certificate information at http://www.sun.com/pki/index.html.

SunPKI Registration Authorities

Sun Public Key Infrastructure (SunPKI) architecture is designed with one top-level certificate, called the Root CA (Certificate Authority) and a subordinate CA, which is the Sun Microsystems Inc., CA (Class B) certificate. An additional certificate issued by Sun Enterprise Services, called the patch management certificate, is used to verify the digital signatures on signed patches.

The Sun Root CA, Sun Class B CA, and the patch signing certificate are included in the SUNWcert package.

These three certificates provide a certificate chain of trust in the patch verification process whereby the Sun Root CA trusts the Class B CA, and the Class B CA trusts the patch management certificate. And ultimately, the GTE CyberTrust CA trusts the Sun Root CA.

Sun certificates are issued by Baltimore Technologies, who recently bought GTE CyberTrust.

A certification authority certifies the relationship between public keys that are used to decrypt the digital signature with the patch and the owner of the public keys.

The Sun CA process means the following:

• Sun has issued and authenticated the digital certificates.

• The public key in the certificate is paired with a private key that is held by Sun.

• These certificates can be used for business purposes only and can be revoked or suspended if the certificate user violates Sun's certificate policy.

For more information about Sun's certificate policy, go to http://www.sun.com/pki/cps.html.

Revoked Sun Certificates

If the Sun Root or Class B certificates are stolen or lost, a revoked certificate list is posted at http://www.sun.com/pki/ca/pkismica.crl.html.

You should view this site occasionally to verify that your imported certificates are still valid. If your imported certificates are revoked, remove them from your keystore and import the replaced certificates.

If the patch signing certificate is revoked, the existing signed patches on the SunSolve web site are removed and replaced by patches with a new digital signature.