Overview of Software Packages
Software management involves installing or removing software products. Sun and its third-party ISVs
deliver software as a collection of one or more packages.
The term packaging generically refers to the method for distributing and installing software
products to systems where the products will be used. A package is a
collection of files and directories in a defined format. This format conforms to
the application binary interface (ABI), which is a supplement to the System V
Interface Definition. The Solaris OS provides a set of utilities that interpret this
format and provide the means to install a package, to remove a package,
or to verify a package installation.
A patch is an accumulation of fixes for a known or potential problem
within the Solaris OS or other supported software. A patch can also provide
a new feature or an enhancement to a particular software release. A patch
consists of files and directories that replace or update existing files and directories.
Most Solaris patches are delivered as a set of sparse packages.
A sparse package contains only those objects that have been altered since the packages
were first delivered as part of the Solaris distribution. Sparse packages accommodate patches
that are smaller than if they were redistributed as complete packages to provide
software updates. Delivering sparse packages also minimizes the changes that are made to
the customer's environment. For more information about patches, see Managing Patches in the Solaris Operating System.
Signed Packages, Patches, and Software Updates
Packages can include a digital signature. A package with a valid digital signature
ensures that the package has not been modified since the signature was applied
to the package. Using signed packages is a secure method of downloading or
adding packages because the digital signature can be verified before the package is
added to your system.
The same holds true for signed patches. A patch with a valid
digital signature ensures that the patch has not been modified since the signature was
applied to the patch. Using signed patches is a secure method of
downloading or applying patches because the digital signature can be verified before the patch
is applied to your system.
For more information about applying signed patches to your system, see Managing Solaris Patches by Using the patchadd Command (Task Map).
For information about creating signed packages, see Application Packaging Developer’s Guide.
A signed package is identical to an unsigned package, except for the digital
signature. The package can be installed, queried, or removed with existing Solaris packaging
tools. A signed package is also binary-compatible with an unsigned package.
Before you can use pkgadd and patchadd to add a package or patch
with a digital signature to your system, you must set up a package
keystore with trusted certificates. These certificates are used to identify that the digital
signature on the package or patch is valid.
The following describes the general terms associated with signed packages and patches.
- Keystore
A repository of certificates and keys that is queried when needed.
Java keystore – A repository of certificates that is installed by default with the Solaris release. The Java keystore is usually stored in the /usr/j2se/jre/lib/security directory.
Package keystore – A repository of certificates that you import when adding signed packages and patches to your system.
The package keystore is stored in the /var/sadm/security directory by default.
- Trusted certificate
A certificate that holds a public key that belongs to another entity. The trusted certificate is named as such because the keystore owner trusts that the public key in the certificate indeed belongs to the identity identified by the subject or owner of the certificate. The issuer of the certificate vouches for this trust by signing the certificate.
Trusted certificates are used when verifying signatures, and when initiating a connection to a secure (SSL) server.
- User key
Holds sensitive cryptographic key information. This information is stored in a protected format to prevent unauthorized access. A user key consists of both the user's private key and the public key certificate that corresponds to the private key.
The process of using the pkgadd or patchadd command to add a signed
package or patch to your system involves three basic steps:
Adding the certificates to your system's package keystore by using the pkgadm command
(Optional) Listing the certificates by using the pkgadm command
Adding the package with the pkgadd command or applying the patch by using the patchadd command
For step-by-step instructions on adding signed packages to your system, see Adding and Removing Signed Packages by Using the pkgadd Command (Task Map).
For step-by-step instructions on applying signed patches to your system with the patchadd
command, see Managing Solaris Patches by Using the patchadd Command (Task Map).
Using Sun's Certificates to Verify Signed Packages and Patches
Access to a package keystore is protected by a special password that you
specify when you import the Sun certificates into your system's package keystore.
If you use the pkgadm listcert command, you can view information about your locally
stored certificates in the package keystore. For example:
# pkgadm listcert -P pass:store-pass
Keystore Alias: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
Certificate Type: Trusted Certificate
Issuer Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
Validity Dates: <May 18 00:00:00 1998 GMT> - <Aug 1 23:59:59 2028 GMT>
MD5 Fingerprint: 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
SHA1 Fingerprint: B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
The following describes the output of the pkgadm listcert command.
- Keystore Alias
When you retrieve certificates for printing, signing, or removing, this name must be used to reference the certificate.
- Command Name
The common name of the certificate. For trusted certificates, this name is the same as the keystore alias.
- Certificate Type
Can be one of two types:
Trusted certificate – A certificate that can be used as a trust anchor when verifying other certificates. No private key is associated with a trusted certificate.
Signing certificate – A certificate that can be used when signing a package or patch. A private key is associated with a signing certificate.
- Issuer Command Name
The name of the entity that issued, and therefore signed, this certificate. For trusted certificate authority (CA) certificates, the issuer common name and common name are the same.
- Validity Dates
A date range that identifies when the certificate is valid.
- MD5 Fingerprint
An MD5 digest of the certificate. This digest can be used to verify that the certificate has not been altered during transmission from the source of the certificate.
- SHA1 Fingerprint
Similar to an MD5 fingerprint, except that it is calculated using a different algorithm.
Each certificate is authenticated by comparing its MD5 and SHA1 hashes, also called
fingerprints, against the known correct fingerprints published by the issuer.
Importing Sun's Trusted Certificates
You can obtain Sun's trusted certificates for adding signed packages and patches in
the following ways:
Java keystore – Import Sun's Root CA certificate that is included by default in the Java keystore when you install the Solaris release.
Sun's Public Key Infrastructure (PKI) site – If you do not have a Java keystore available on your system, you can import the certificates from this site.
Setting Up a Package Keystore
If your system already has a populated Java keystore, you can now
export the Sun Microsystems root CA certificate from the Java keystore with the
keytool command. Then, use the pkgadm command to import this certificate into the
package keystore.
After the Root CA certificate is imported into the package keystore, you can
use the pkgadd and patchadd commands to add signed packages and patches to
your system.
Note - The Sun Microsystems root-level certificates are only required when adding Sun-signed patches and
packages.
For step-by-step instructions on importing certificates into the package keystore, see How to Import a Trusted Certificate From the Java Keystore (pkgadm addcert).
For complete instructions on adding signed packages with the pkgadd command, see
How to Add a Signed Package (pkgadd).