Adding and Removing Signed Packages by Using the pkgadd Command

The following procedures explain how to add and remove signed packages by using the pkgadd command.

How to Import a Trusted Certificate From the Java Keystore (pkgadm addcert)

1. Become superuser or assume an equivalent role.

   Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

2. Verify that the root certificate authority (CA) certificate exists in the Java ^TM keystore.

   # keytool -storepass storepass -list -keystore certfile

   keytool

   Manages a Java keystore (database) of private keys and their associated X.509 certificate chains that authenticate the corresponding public keys. Also manages certificates from trusted entities. For more information on the keytool utility, see keytool-Key and Certificate Management Tool.

   -storepass storepass

   Specifies the password that protects the integrity of the keystore.

   -list

   By default, prints the MD5 fingerprint of a certificate.

   -keystore certfile

   Specifies the name and location of the persistent keystore file.

3. Export the root CA certificate from the Java keystore to a temporary file.

   # keytool -export -storepass storepass -alias verisignclass2g2ca -keystore /usr/java/jre/lib/security/cacerts certfile -file filename

   -export

   Exports the trusted certificate.

   -storepass storepass

   Specifies the password that protects the integrity of the Java keystore.

   -alias verisignclass2g2ca

   Identifies the alias of the trusted certificate.

   -keystore certfile

   Specifies the name and location of the keystore file.

   -file filename

   Identifies the file to hold the exported certificate.

4. Import a trusted certificate to the package keystore.

   # pkgadm addcert -t -f format certfile

   -t

   Indicates that the certificate is a trusted CA certificate. The output includes the details of the certificate, which the user is asked to verify.

   -f format

   Specifies the format of certificates and private keys. When you import a certificate, it must be encoded using PEM or binary DER format.

   certfile

   Specifies the file that contains the certificate.

5. Remove the temporary file.

   # rm /tmp/file-name

   For more information, see the pkgadm(1M) man page.

Example 20-1 Importing a Trusted Certificate From the Java Keystore

The following example shows how to import a trusted certificate. In this example, Sun's root CA certificate is imported from the Java keystore into the package keystore by using the keytool command.

# keytool -export -storepass changeit -alias verisignclass2g2ca \ -keystore /usr/java/jre/lib/security/cacerts -file /tmp/root.crt
Certificate stored in file </tmp/root.crt>

# pkgadm addcert -t -f der /tmp/root.crt
     Keystore Alias: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
        Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
   Certificate Type: Trusted Certificate 
Issuer Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
     Validity Dates: <May 18 00:00:00 1998 GMT> - <Aug  1 23:59:59 2028 GMT>
MD5 Fingerprint: 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
   SHA1 Fingerprint: B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D

Are you sure you want to trust this certificate? yes
Trusting certificate </C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O>
Type a Keystore protection Password. xxxxxx
Press ENTER for no protection password (not recommended):
For Verification: Type a Keystore protection Password.
Press ENTER for no protection password (not recommended):
Certificate(s) from </tmp/root.crt> are now trusted 

How to Display Certificate Information (pkgadm listcert)

1. Become superuser or assume an equivalent role.

   Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

2. Display the contents of the package keystore.

   # pkgadm listcert -p passarg

Example 20-2 Displaying Certificate Information

The following example shows how to display the details of a locally stored certificate.

# pkgadm listcert -P pass:test123
Keystore Alias: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
        Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
   Certificate Type: Trusted Certificate
Issuer Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
Validity Dates: <May 18 00:00:00 1998 GMT> - <Aug 1 23:59:59 2028 GMT>
 MD5 Fingerprint: 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
   SHA1 Fingerprint: B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D 

How to Remove a Certificate (pkgadm removecert)

1. Become superuser or assume an equivalent role.

   Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

2. Remove the trusted certificate from the package keystore.

   # pkgadm removecert -n "certfile"

   The removecert -n “certfile” option specifies the alias of the user certificate/key pair or the alias of the trusted certificate.

   ---

   Note - View the alias names for certificates by using the pkgadm listcert command.

   ---

Example 20-3 Removing a Certificate

The following example shows how to remove a certificate.

# pkgadm listcert
    Keystore Alias: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
        Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
   Certificate Type: Trusted Certificate
Issuer Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
Validity Dates: <May 18 00:00:00 1998 GMT> - <Aug 1 23:59:59 2028 GMT>
 MD5 Fingerprint: 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
   SHA1 Fingerprint: B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D 
# pkgadm removecert -n "/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O"
Enter Keystore Password: storepass
Successfully removed Certificate(s) with alias \
</C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O>

How to Set Up a Proxy Server (pkgadd)

If your system is behind a firewall with a proxy, you will need to set up a proxy server before you can add a package from an HTTP server by using the pkgadd command.

1. Become superuser or assume an equivalent role.

   Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

2. Select one of the following methods to specify a proxy server.
   1. Specify the proxy server by using the http_proxy, HTTPPROXY, or HTTPPROXYPORT environment variable.

      For example:

      # setenv http_proxy https://mycache.domain:8080

      Or, specify one of the following:

      # setenv HTTPPROXY mycache.domain
      # setenv HTTPPROXYPORT 8080

   2. Specify the proxy server on the pkgadd command line.

      For example:

      # pkgadd -x mycache.domain:8080 -d https://myserver.com/pkg SUNWpkg

   3. Create an administration file that includes proxy server information.

      For example:

      # cat /tmp/admin
      mail=
      instance=unique
      partial=ask
      runlevel=ask
      idepend=ask
      rdepend=ask
      space=ask
      setuid=ask
      conflict=ask
      action=ask
      networktimeout=60
      networkretries=3
      authentication=quit
      keystore=/var/sadm/security
      basedir=default
      proxy=mycache.domain:8080

      Then, identify the administration file by using the pkgadd -a command. For example:

      # pkgadd -a /tmp/admin -d https://myserver.com/pkg SUNWpkg

How to Add a Signed Package (pkgadd)

This procedure assumes that you have imported Sun's root CA certificate. For more information, see How to Import a Trusted Certificate From the Java Keystore (pkgadm addcert).

1. Become superuser or assume an equivalent role.

   Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

2. Add a signed package.

   # pkgadd -d /pathname/device-name

   The -d device-name option specifies the device from which the package is installed. The device can be a directory, tape, diskette, or removable disk. The device can also be a data stream created by the pkgtrans command.

Example 20-4 Adding a Signed Package

The following example shows how to add a signed package that is stored on the system.

# # pkgadd -d /tmp/signed_pppd
The following packages are available:
  1  SUNWpppd     Solaris PPP Device Drivers
                  (sparc) 11.10.0,REV=2003.05.08.12.24

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: all
Enter keystore password:
## Verifying signature for signer <User Cert 0>

.
.
.

The following example shows how to install a signed package using an HTTP URL as the device name. The URL must point to a stream-formatted package.

# pkgadd -d https://install/signed-video.pkg

## Downloading...
..............25%..............50%..............75%..............100%
## Download Complete
.
.
.