Packages can include a digital signature. A package with a valid digital signature ensures that the package has not been modified since the signature was applied to the package. Using signed packages is a secure method of downloading or adding packages because the digital signature can be verified before the package is added to your system.
The same holds true for signed patches. A patch with a valid digital signature ensures that the patch has not been modified since the signature was applied to the patch. Using signed patches is a secure method of downloading or adding patches because the digital signature can be verified before the patch is added to your system.
For more information about adding signed patches to your system, see Adding Signed Patches With patchadd Command (Task Map).
For information about creating signed packages, see Application Packaging Developer's Guide.
A signed package is identical to an unsigned package, except for the digital signature. The package can be installed, queried, or removed with existing Solaris packaging tools. A signed package is also binary-compatible with an unsigned package.
Before you can add a package or patch with a digital signature to your system, you must set up a package keystore with trusted certificates. These certificates are used to identify that the digital signature on the package or patch is valid.
The following table describes the general terms associated with signed packages and patches.
The process of adding a signed package or patch to your system involves three basic steps:
Adding the certificates to your system's package keystore with the pkgadm command
(Optional) Listing the certificates with the pkgadm command
Adding the package with the pkgadd command or adding the patch with the patchadd command
For step-by-step instructions on adding signed packages to your system, see Adding and Removing Signed Packages (Task Map). For step-by-step instructions on adding signed patches to your system, see Adding Signed Patches With patchadd Command (Task Map).
A stream-formatted SVR4–signed package or patch contains an embedded PEM-encoded PKCS7 signature. This signature contains at a minimum the encrypted digest of the package or patch, along with the signer's X.509 public key certificate. The package or patch can also contain a certificate chain that is used to form a chain of trust from the signer's certificate to a locally stored trusted certificate.
The PEM-encoded PKCS7 signature is used to verify the following:
The package came from the entity that signed it.
The entity indeed signed it.
The package hasn't been modified since the entity signed it.
The entity that signed it is a trusted entity.
The following table describes the encryption terminology associated with signed packages and patches.
Digital certificates, issued and authenticated by Sun Microsystems, are used to verify that the downloaded package or patch with the digital signature has not been compromised. These certificates are imported into your system's keystore.
All Sun certificates are issued by Baltimore Technologies, which recently bought GTE CyberTrust.
Access to a keystore is protected by a special password that you specify when you import the Sun certificates into your system's keystore.
If you use the pkgadm listcert command, you can view information about your locally stored certificates in the package keystore. For example:
# pkgadm listcert -P pass:store-pass Keystore Alias: GTE CyberTrust Root Common Name: GTE CyberTrust Root Certificate Type: Trusted Certificate Issuer Common Name: GTE CyberTrust Root Validity Dates: <Feb 23 23:01:00 1996 GMT> - <Feb 23 23:59:00 2006 GMT> MD5 Fingerprint: C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58 SHA1 Fingerprint: 90:DE:DE:9E:4C:4E:9F:6F:D8:86:17:57:9D:D3:91:BC:65:A6... |
The following table describes the output of the pkgadm listcert command.
Each certificate is authenticated by comparing its MD5 and SHA1 hashes, also called fingerprints, against the known correct fingerprints published by the issuer.
SunSolve Online uses the following certificates to verify the digital signatures on signed patches with the previous Solaris patch management tools (smpatch command), including PatchPro:
Top-level certificate, called the Root Certificate Authority (CA)
A subordinate CA, which is the Sun Microsystems Inc., CA Class B certificate.
An additional certificate issued by Sun EnterpriseTM Services, called the patch management certificate
A certificate authority certifies the relationship between public keys that are used to decrypt the digital signature with the patch and the owner of the public keys.
The Sun Root CA, Sun Class B CA, and the patch signing certificate are included with the Solaris patch management tools, including PatchPro. These three certificates provide a certificate chain of trust in the patch verification process whereby the Sun Root CA trusts the Class B CA, and the Class B CA trusts the patch management certificate. And, ultimately, the GTE CyberTrust CA trusts the Sun Root CA.
You can obtain Sun's trusted certificates for adding signed packages and patches in the following ways:
Java keystore – Import Sun's Root CA certificate that is included by default in the Java keystore when you install the Solaris release.
Sun's Public Key Infrastructure (PKI) site – If you do not have a Java keystore available on your system, you can import the certificates from this site.
PatchPro's keystore – If you have installed PatchPro for adding signed patches with the smpatch command, you can import Sun's Root CA certificate from the Java keystore.
In previous Solaris releases, you could download the patch management tools and create a Java keystore, for use by PatchPro, by importing the certificates with the keytool command.
If your system already has a populated Java keystore, you can now export the Sun Microsystems root CA certificate from the Java keystore with the keytool command. Then, use the pkgadm command to import this certificate into the package keystore.
After the Root CA certificate is imported into the package keystore, you can use the pkgadd and patchadd commands to add signed packages and patches to your system.
The Sun Microsystems root-level certificates are only required when adding Sun-signed patches and packages.
For step-by-step instructions on importing certificates into the package keystore, see How to Import a Trusted Certificate into the Package Keystore (pkgadm addcert).
For complete instructions on adding signed packages with the pkgadd command, see Adding and Removing Signed Packages (Task Map).