Verifying package integrity includes verifying package signatures. This procedure assumes that you maintain a valid and secure package repository. For a summary, see Ensuring Secure Package Installation From Your Local IPS Repository. For instructions, see Copying and Creating Package Repositories in Oracle Solaris 11.3.
Before You Begin
You must become an administrator with the rights to manage IPS repositories and packages. For the rights that you require, see Repository Management Privileges in Copying and Creating Package Repositories in Oracle Solaris 11.3.
In this example, an administrator has explicitly changed the default signature policy to ignore, which has the effect of ignoring signatures for all manifests.
$ pkg property signature-policy PROPERTY VALUE signature-policy ignore $ pkg publisher ... Properties: signature-policy = ignore
The available policies are:
verify – Verifies that all manifests with signatures are validly signed but does not require all installed packages to be signed.
require-signatures – Requires that all newly installed packages have at least one valid signature.
require-names – Follows the same requirements as require-signatures but also requires that the strings listed in the signature-required-names property are used to verify the chains of trust of the signatures.
The following command changes the signature policy for the image from ignore to the default, verify.
$ pkg set-property signature-policy verify
Publishers inherit the signature policy from the image unless the publisher value is explicitly changed. For example, you might want to have a stronger policy than verify for publishers whose packages are always signed.
$ pkg set-publisher --set-property signature-policy=require-signatures solaris $ pkg -publisher solaris Publisher: solaris ... Catalog Updated: Feb 8, 2015 02:01:01 AM Enabled: Yes Properties: signature-policy = require-signatures
# pkg verify > /var/log/filename
For more information, see Verifying Packages and Fixing Verification Errors in Adding and Updating Software in Oracle Solaris 11.3.