Go to main content

Oracle® Solaris 11.3 Security and Hardening Guidelines

Exit Print View

Updated: March 2018
 
 

How to Verify Your Packages

Verifying package integrity includes verifying package signatures. This procedure assumes that you maintain a valid and secure package repository. For a summary, see Ensuring Secure Package Installation From Your Local IPS Repository. For instructions, see Copying and Creating Package Repositories in Oracle Solaris 11.3.

Before You Begin

You must become an administrator with the rights to manage IPS repositories and packages. For the rights that you require, see Repository Management Privileges in Copying and Creating Package Repositories in Oracle Solaris 11.3.

  1. Ensure that you are checking package signatures.
    1. Display the signature policy for the image and for the publisher.

      In this example, an administrator has explicitly changed the default signature policy to ignore, which has the effect of ignoring signatures for all manifests.

      $ pkg property signature-policy
PROPERTY             VALUE
signature-policy     ignore
$ pkg publisher
...
           Properties:
                      signature-policy = ignore
    2. Change the signature policy if it is set to a weaker value than you want to implement.

        The available policies are:

      • verify – Verifies that all manifests with signatures are validly signed but does not require all installed packages to be signed.

      • require-signatures – Requires that all newly installed packages have at least one valid signature.

      • require-names – Follows the same requirements as require-signatures but also requires that the strings listed in the signature-required-names property are used to verify the chains of trust of the signatures.

      The following command changes the signature policy for the image from ignore to the default, verify.

      $ pkg set-property signature-policy verify
    3. (Optional) Establish a stronger signature policy for the solaris publisher and display the new policy.

      Publishers inherit the signature policy from the image unless the publisher value is explicitly changed. For example, you might want to have a stronger policy than verify for publishers whose packages are always signed.

      $ pkg set-publisher --set-property signature-policy=require-signatures solaris
$ pkg -publisher solaris
            Publisher: solaris
...
      Catalog Updated: Feb 8, 2015  02:01:01 AM
              Enabled: Yes
           Properties:
                       signature-policy = require-signatures
  2. After package installation, take appropriate action on any error messages in the installation window.
  3. Run the pkg verify command and send its results to a log file. 
    # pkg verify > /var/log/filename

    For more information, see the pkg(1) and pkg(5) man pages.

  4. Review the log for any errors.
  5. If you find errors, reinstall or fix the errors.

    For more information, see Verifying Packages and Fixing Verification Errors in Adding and Updating Software in Oracle Solaris 11.3.

Copyright © 2011, 2018, Oracle and/or its affiliates. All rights reserved. 
Previous
Next