Adding and Removing Signed Packages (Task Map)

The following task map describes the tasks for adding and removing signed packages.

How to Import a Trusted Certificate into the Package Keystore (pkgadm addcert)

1. Become superuser or assume an equivalent role.

2. Verify that the Root CA certificate exists in the Java keystore.

   # keytool -storepass storepass -list -keystore certfile

   keytool	Manages a Java keystore (database) of private keys and their associated X.509 certificate chains that authenticate the corresponding public keys. Also manages certificates from trusted entities. For more information on the keytool command, see keytool-Key and Certificate Management Tool.
   -storepass storepass	Specifies the password that protects the integrity of the Java keystore.
   -list	By default, prints the MD5 fingerprint of a certificate.
   -keystore certfile	Specifies the name and location of the persistent Java keystore file.

3. Export the Root CA certificate from the Java keystore to a temporary file.

   # keytool -export -storepass storepass -alias gtecybertrustca -keystore gtecybertrustca -keystore /usr/j2se/jre/lib/security/cacerts -file filename

   -export	Exports the trusted certificate.
   -storepass storepass	Specifies the password that protects the integrity of the Java keystore.
   -alias gtecybertrustca	Identifies the alias of the trusted certificate.
   -keystore certfile	Specifies the name and location of the keystore file.
   -file filename	Identifies the file to hold the exported certificate.

4. Import a trusted certificate to the package keystore.

   # pkgadm addcert -t -f format certfile

   -t	Indicates that the certificate is a trusted CA certificate. The command output includes the details of the certificate, which the user is asked to verify.
   -f format	Specifies the format of the certificates or private key. When importing a certificate, it must be encoded using either the PEM (pem) or binary DER (der) format.
   certfile	Specifies the file that contains the certificate.

   For more information, see the pkgadm man page.

5. Remove the temporary file.

Example—Importing a Trusted Certificate

The following example shows how to import a trusted certificate. In this example, Sun's Root CA certificate is imported from the Java keystore into the package keystore with the keytool command.

# keytool -export -storepass changeit -alias gtecybertrustca -keystore 
gtecybertrustca -keystore /usr/j2se/jre/lib/security/cacerts -file 
/tmp/root.crt
Certificate stored in file </tmp/root.crt>
# pkgadm addcert -t -f der /tmp/root.crt
Enter Keystore Password: storepass
      Keystore Alias: GTE CyberTrust Root
         Common Name: GTE CyberTrust Root
    Certificate Type: Trusted Certificate
  Issuer Common Name: GTE CyberTrust Root
      Validity Dates:<Feb 23 23:01:00 1996 GMT>-<Feb 23 23:59:00 2006 GMT>
     MD5 Fingerprint: C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58
    SHA1 Fingerprint: 90:DE:DE:9E:4C:4E:9F:6F:D8:86:17:57:9D:D3:91:BC...
Trusting certificate <GTE CyberTrust Root>
Type a Keystore protection Password.
Press ENTER for no protection password (not recommended): xxx
For Verification: Type a Keystore protection Password.
Press ENTER for no protection password (not recommended): xxx
Certificate(s) from </tmp/root.crt> are now trusted
# rm /tmp/root.crt

How to Display Certificate Information (pkgadm listcert)

1. Become superuser or assume an equivalent role.

2. Display the contents of the package keystore.

   # pkgadm listcert

Example—Displaying Certificate Information (pkgadm listcert)

The following example shows how to display the details of a locally stored certificate.

# pkgadm listcert -P pass:storepass
    Keystore Alias: GTE CyberTrust Root
       Common Name: GTE CyberTrust Root
  Certificate Type: Trusted Certificate
Issuer Common Name: GTE CyberTrust Root
    Validity Dates: <Feb 23 23:01:00 1996 GMT> - <Feb 23 23:59:00 2006 GMT>
   MD5 Fingerprint: C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58
  SHA1 Fingerprint: 90:DE:DE:9E:4C:4E:9F:6F:D8:86:17:57:9D:D3:91:BC...

How to Remove a Certificate (pkgadm removecert)

1. Become superuser or assume an equivalent role.

2. Remove the trusted certificate from the package keystore.

   # pkgadm removecert -n "certfile"

   The -n “certfile” option specifies the alias of the user certificate/key pair or the alias of the trusted certificate.

   ---

   Note –

   View the alias names for certificates with the pkgadm listcert command.

   ---

Example—Removing a Certificate (pkgadm removecert)

The following example shows how to remove a certificate.

# pkgadm listcert
Enter Keystore Password: storepass
      Keystore Alias: GTE CyberTrust Root
         Common Name: GTE CyberTrust Root
    Certificate Type: Trusted Certificate
  Issuer Common Name: GTE CyberTrust Root
      Validity Dates:<Feb 23 23:01:00 1996 GMT>-<Feb 23 23:59:00 2006 GMT>
     MD5 Fingerprint: C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58
    SHA1 Fingerprint: 90:DE:DE:9E:4C:4E:9F:6F:D8:86:17:57:9D:D3:91:BC...
# pkgadm removecert -n "GTE CyberTrust Root"
Enter Keystore Password: storepass
Successfully removed Certificate(s) with alias <GTE CyberTrust Root>

How to Set Up a Proxy Server (pkgadd)

If your system is behind a firewall with a proxy, you will need to set up a proxy server before you can add a package from an HTTP server with the pkgadd command.

1. Become superuser or assume an equivalent role.

2. Select one of the following methods to specify a proxy server.

   1. Specify the proxy server by using the http_proxy, HTTPPROXY, or HTTPPROXYPORT environment variable.

      For example:

      # setenv http_proxy http://mycache.domain:8080

      Or, specify one of the following:

      # setenv HTTPPROXY mycache.domain # setenv HTTPPROXYPORT 8080

   2. Specify the proxy server on the pkgadd command line.

      For example:

      # pkgadd -x mycache.domain:8080 -d http://myserver.com/pkg SUNWpkg

   3. Create a admin file that includes proxy server information.

      For example:

      # cat /tmp/admin mail= instance=unique partial=ask runlevel=ask idepend=ask rdepend=ask space=ask setuid=ask conflict=ask action=ask networktimeout=60 networkretries=3 authentication=quit keystore=/var/sadm/security basedir=default proxy=mycache.domain:8080

      Then, identify the admin file with the pkgadd -a command. For example:

      # pkgadd -a /tmp/admin -d http://myserver.com/pkg SUNWpkg

How to Add a Signed Package (pkgadd)

This procedure assumes that you have imported Sun's Root CA certificate. For more information, see How to Import a Trusted Certificate into the Package Keystore (pkgadm addcert).

For information about setting up a proxy server, see How to Set Up a Proxy Server (pkgadd).

1. Become superuser or assume an equivalent role.

2. Add a signed package.

   # pkgadd -d /pathname/package-name

   The -d device-name option specifies the device from which the package is installed. The device can be a directory, tape, diskette, or removable disk. The device can also be a data stream created by the pkgtrans command.

Examples—Adding a Signed Package (pkgadd)

The following example shows how to add a signed package that has already been downloaded.

# # pkgadd -d /tmp/signed_pppd
The following packages are available:
  1  SUNWpppd     Solaris PPP Device Drivers
                  (sparc) 11.10.0,REV=2003.05.08.12.24

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: all
Enter keystore password:
## Verifying signature for signer <User Cert 0>
.
.
.

The following example shows how to install a signed package using an HTTP URL as the device name. The URL must point to a stream-formatted package.

# pkgadd -d http://install/signed-video.pkg

## Downloading...
..............25%..............50%..............75%..............100%
## Download Complete
.
.
.