Signed Patches Administration Guide for PatchPro 2.2

Managing Signed Patches by Using Java Tools (Task Map)

Perform these tasks in the order shown.

Task	Description	For Instructions
1. Download and install the `SUNWcert` package.	Download and install the `SUNWcert` package. For a list of download sites, see Sun Certificates That Verify Signed Patches.	How to Download the `SUNWcert` Package
2. Import the Sun certificates.	Use the `keytool` command to import and accept the Sun certificates from the `SUNWcert` package.	How to Import the Sun Certificates With Java Tools
3. (Optional) Change the keystore password.	Change the password to keep the keystore secure.	How to Change the Java Keystore Password
4. Verify a signed patch.	Download a patch from SunSolve Online, and use the `jarsigner` command to verify the patch.	How to Verify a Signed Patch (`jarsigner`)
5. Apply the verified signed patch.	Use the `patchadd` command to apply the verified signed patch.	How to Apply the Verified Signed Patch

How to Download the `SUNWcert` Package

This procedure assumes that the SUNWcert package is located in the /tmp directory.

Download the SUNWcert package from the following site:

https://sunsolve.sun.com/SUNWcert

For a list of additional sites, see Sun Certificates That Verify Signed Patches.

Become superuser.

Install the SUNWcert package.

# cd /tmp
# unzip SUNWcert.zip
# pkgadd -d .

Verify that the SUNWcert package is installed.
# pkginfo -l SUNWcert

How to Import the Sun Certificates With Java Tools

Verify the signed patches that you want to install against the authenticated Sun certificates.

Become superuser.

Determine the fingerprints of your Sun Root certificate and Sun Class B certificate.

For example, on a Solaris 8 system:

# /usr/java1.3/bin/keytool -printcert \
-file /etc/certs/SUNW/smirootcacert.b64
# /usr/java1.3/bin/keytool -printcert -file /etc/certs/SUNW/smicacert.b64

Verify that the output of these commands match the Sun Root and Class B certificate fingerprints displayed at this site:
https://www.sun.com/pki/ca

Change to the /etc/certs/SUNW directory.
# cd /etc/certs/SUNW

Import the Class B certificate.

For example, on a Solaris 8 system, type:

# /usr/java1.3/bin/keytool -import -alias smicacert \
-file smicacert.b64 -keystore /usr/java1.3/jre/lib/security/cacerts
Enter keystore password:  changeit
Owner: O=Sun Microsystems Inc, CN=Sun Microsystems Inc CA (Class B)
Issuer: CN=Sun Microsystems Inc Root CA, O=Sun Microsystems Inc, C=US
Serial number: 1000006
Valid from: Mon Nov 13 12:23:10 MST 2000 until: Fri Nov 13 12:23:10 MST 2009
Certificate fingerprints:
         MD5:  B4:1F:E1:0D:80:7D:B1:AB:15:5C:78:CB:C8:8F:CE:37
         SHA1: 1E:38:11:02:F0:5D:A3:27:5C:F9:6E:B1:1F:C4:79:95:E9:6E:D6:DF
Trust this certificate? [no]:  yes
Certificate was added to keystore

Import the root certificate.

# /usr/java1.3/bin/keytool -import -alias smirootcacert \
-file smirootcacert.b64 -keystore /usr/java1.3/jre/lib/security/cacerts
Enter keystore password:  changeit
Owner: CN=Sun Microsystems Inc Root CA, O=Sun Microsystems Inc, C=US
Issuer: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
Serial number: 40002ae
Valid from: Wed Oct 16 09:45:00 MDT 2002 until: Sat Oct 16 17:59:00 MDT 2004
Certificate fingerprints:
         MD5:  54:E3:D1:E4:79:B4:17:23:65:B4:F9:14:AD:C6:4A:FE
         SHA1: 90:F1:AB:87:AE:A0:4C:1F:AF:43:60:DE:5D:A8:0E:D8:CE:E7:06:AE
Trust this certificate? [no]:  yes
Certificate was added to keystore

How to Change the Java Keystore Password

Become superuser.

Change the keystore password.

# /usr/java1.3/bin/keytool -storepasswd \
-keystore /usr/java1.3/jre/lib/security/cacerts
Enter keystore password:  changeit
New keystore password:  new-password
Re-enter new keystore password:  new-password

How to Verify a Signed Patch (`jarsigner`)

Verify that the following prerequisites are met:
- You have installed the SUNWcert package.
  
  For more information, see How to Download the SUNWcert Package.
- You have imported the appropriate Sun PKI certificates.
  
  For more information, see How to Import the Sun Certificates With Java Tools.
- You are logged in as superuser.

Download a signed patch from the SunSolve Online site.

Verify the signed patch, for example:

# /usr/java1.3/bin/jarsigner -verify -verbose -keystore 
/usr/java1.3/jre/lib/security/cacerts /patchdb/100103-12.jar
smk     2149 Tue Sep 25 15:47:20 MDT 2001 100103-12/README
smk    18553 Tue Sep 25 15:47:20 MDT 2001 100103-12/4.1secure.sh
         385 Tue Sep 25 15:47:20 MDT 2001 META-INF/manifest.mf
         493 Tue Sep 25 15:47:20 MDT 2001 META-INF/zigbert.sf
        3819 Tue Sep 25 15:47:20 MDT 2001 META-INF/zigbert.rsa

  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.
#

Make sure that you see the smk entries in the output to confirm that the patch signature is verified. Otherwise, the patch verification has failed, even if you see the jar verified message.

How to Apply the Verified Signed Patch

Become superuser.

Unzip the patch bundle, for example:

# unzip 100103-12.jar
Archive:  100103-12.jar
       inflating: 100103-12/README        
       inflating: 100103-12/4.1secure.sh  
       inflating: META-INF/manifest.mf    
       inflating: META-INF/zigbert.sf     
       inflating: META-INF/zigbert.rsa    
#

Apply the verified uncompressed signed patch, for example:
# patchadd /patchdb/100103-12