Managing Signed Patches


Description

Signed Patches


Announcements

POSTED
 INFORMATION
Jan 13, 2009
 Attention Update Manager / smpatch Users: The current Sun object signing certificate is being replaced by a new signing certificate in early January 2009. Patches released after this point will be signed using this new cert. Please run the command "smpatch update", to apply the necessary patches to update Update Manager / smpatch, to enable it to validate patches signed with the new signing certificate.  Then run Update Manager / smpatch again to access patches signed with the new signing certificate.  Please refer to the Sun Update Connection Forum announcement for more specifics.

Attention other Users who Validate Patch Signatures: For instructions on validating patches signed with the new cert outside of Update Manager / smpatch, please download the latest keystore and verify patch signatures as described in the section below titled "Manual Patch Verification".

Index

Signed Patches Overview

  • What is a signed patch ?
A signed patch is a patch from Sun Microsystems with a digital signature.
  • What are the benefits of using signed patches 

A patch with a valid digital signature ensures that the patch has not been modified since the signature was applied and ensures that it was created by Sun Microsystems, Inc.

Using signed patches is a secure method of downloading or applying patches. Patches that include a digital signature can be verified before the patch is applied to your system.

  • Where do I obtain signed patches 

Signed patches, stored in JavaTM archive format (JAR) files, are available from SunSolve Online. Follow the PatchFinder link and specify the patch that you want to download.

NOTE: You can download a signed or unsigned patch version.

  • How do I apply signed patches
Signed patches are applied via patch management tools.

These tools range from basic patch utilities that facilitate manual application of patches, to application software that supports varying levels of patch analysis and applied patch automation.
See the sections below to understand how to apply signed patches manually, or to apply them with some degree of automation.

Signed Patch Application

Manual Patch Management

Manual Patch Verification


NOTE: REQUIRES JRE/JDK 1.3 or greater  (See Java Downloads)

Signed patches may be verified by the utility, jarsigner(1), prior to application using the following syntax.

% jarsigner  -verify  -verbose  -keystore  <keystorefile>  <patchid.jar>

Download and unzip the attached keystore file patch-cacerts.zip (see below) for use as a trusted keystore when validating a signed patch's certificate chain(or a subset thereof).  During verbose verification(-verbose), when jarsigner identifies at least one certificate that is found in a trusted keystore, jarsigner will prefix a "k" next to the correlating file. See jarsigner(1) for more options and details on verification. See keytool(1) for more details on keystore usage and management.

Example: 

%jarsigner -verify -verbose  -keystore patch-cacerts 999999-99.jar

smk     168 Mon Jan 12 01:58:28 PST 2009 999999-99/patchinfo
smk      20 Mon Jan 12 01:57:26 PST 2009 999999-99/README.999999-99
smk     980 Mon Jan 12 01:59:14 PST 2009 999999-99/testfile.zip
        297 Mon Jan 12 01:58:58 PST 2009 META-INF/MANIFEST.MF
        418 Mon Jan 12 01:58:58 PST 2009 META-INF/PATCHSIG.SF
  
    5021 Mon Jan 12 01:58:58 PST 2009 META-INF/PATCHSIG.RSA

s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope

jar verified.

Manual Patch Application 


1. Unzip the patch jar file.

Example:

# unzip 999999-99.jar
Archive:  999999-99.jar
    inflating: 999999-99/patchinfo    
extracting: 999999-99/README.999999-99 
extracting: 999999-99/testfile.zip 
    inflating: META-INF/MANIFEST.MF   
    inflating: META-INF/PATCHSIG.SF   
    inflating: META-INF/PATCHSIG.RSA  


2. Use patchadd(1M) to apply the patch.

Example:
# patchadd 999999-99

Automated Patch Managment

Patch Managment automation can be implemented in a number of ways and at varying service levels. The following link will take you to the Sun Connection Site. Using Sun Connection, you can opt to manage updates on a single system locally by using the Update Manager application or, the smpatch(1M) command-line interface (CLI). Please review the various Sun Connection Features available as well as the Getting Started and FAQs sections.

WARNING: If you are a user of Update Manager make sure to run the command "smpatch update" to ensure you are running with the latest versions of all required patches.

Please refer to the "Sun Update Connection-System / Hosted, Patch  Manager & PatchPro Forum" for important messages and updates regarding these tools. You may post questions on this forum as well.

Supplemental Resources

http://www.sun.com/software/products/xvmopscenter/index.jsp
Sun xVM Ops Center is a new tool for datacenter automation and virtualization management of servers at high-scale. It contains features to control the hardware and software elements of the stack (real and virtual).
http://www.sun.com/service/sunconnection/index.jsp
Sun Connection provides the critical features for managing one to one thousand operating systems.
http://forums.sun.com/index.jspa
Sun Forums. Here you can find information and discussions about Sun products and tools.




Attachments:
patch-cacerts.zip
 
Sun support customers:
more support information is available after you sign in.
 
»   Login
»   Register
»   Lost UserName/Password
 
Login Required

You must login and have a valid contract to access Sun's Premium content which includes:

  • Sun Alerts
  • Bugs
  • Patches
  • Solutions
  • White Papers
  • Documentation
  • Support Knowledge

Login Required

You must login and have a valid contract to access Sun's contracted features

Access Legend:

(Login to access)   Sun Contracted Content
(Login to access)   Sun Contracted Feature

Please make use of SunSolve Feedback application by selecting the floating [+] to provide feedback about this specific document.

Search
Article Details
Article ID : 229051
Article Type : Technical Instruction
Last reviewed : 2009-01-13
Audience : PUBLIC
Keywords :
Provide feedback  (help)
Page Tools
»  Print This Page
»  Email This Article
»  Bookmark This Article
Security Support
»   Security Center
»   Report Security Vulnerabilities
»   Security PGP Key
»   Sun Alert Notifications - RSS Feeds
»   Sun Alert Notifications - eNewsletter
»   Solaris Fingerprint Database
 
SunSolve Navigation
»   Forums for contracted customers
»   Licenses
»   Log a Service Request
»   Patches and Updates
»   Product Download Center
»   SunSystem Handbook
»   SunSolve Japan
SunSolve Feedback, Help and Updates
»   Blog
»   Community
»   Feedback
»   Help
»   Learn about SunSolve
»   Twitter
Contact About Sun News & Events Employment Site Map Privacy Terms of Use Trademarks Copyright Sun Microsystems, Inc. | SunSolve Version 7.4.0 #1