Verifying Patch Content (161 Views)
Reply
Occasional Visitor
scrv3
Posts: 2
Registered: ‎03-24-2011
Message 1 of 7 (161 Views)
Accepted Solution

Verifying Patch Content

I looked in the swinstall man pages and saw no way to verify a patch that I install is digitally signed or that there was a checksum that was performed to validate the patch before install.
I did notice a cksum for each patch in the patch information page. Does HP-UX (11.11,11.23,11.31) offer any way to validate patch content before installing it via a signature or any other method?
If so can you point me to some examples or man pages?
Please use plain text.
Exalted Contributor
Steven E. Protter
Posts: 33,806
Registered: ‎08-15-2002
Message 2 of 7 (161 Views)

Re: Verifying Patch Content

Shalom,

Every patch has a page in the HP-UX patch database that includes a checksum.

You can if you have the time verify the check sum of every patch using an OS utility.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Please use plain text.
Honored Contributor
Jose Mosquera
Posts: 1,013
Registered: ‎06-27-2002
Message 3 of 7 (161 Views)

Re: Verifying Patch Content

Hi,

Please check this:
#swlist -dRv /fullpath/depot_file.depot
-or-
#swlist -dRv /fullpath/depot_dir

Detailed info:
#man swlist

Rgds.
Please use plain text.
Occasional Visitor
scrv3
Posts: 2
Registered: ‎03-24-2011
Message 4 of 7 (161 Views)

Re: Verifying Patch Content

Thanks.
I see that there is a is_secure row in the patch details with swlist -dRv @ /var/patch/depot/[patch_name].depot, it seems to indicate if a patch file is encrypted or not and if it requires a password (per the sd(4) doc). I don't see a way to validate it at install time other than the way pointed out to look at the bulletin and cksum the files individually. That seems like a lot of work. It's a shame HP doesn't offer a simpler way to do this for their own content.
Please use plain text.
Acclaimed Contributor
James R. Ferguson
Posts: 21,184
Registered: ‎07-06-2000
Message 5 of 7 (161 Views)

Re: Verifying Patch Content

Hi:

> I don't see a way to validate it at install time other than the way pointed out to look at the bulletin and cksum the files individually.

Various checks are performed during installation and/or whenever a 'swverify' is run to guarantee the integrity of a patch or product. Not the least of these is a 'cksum' value delivered in the 'INFO' file. Following installation, this file can be found in the '/var/adm/sw' directory.

Regards!

...JRF...
Please use plain text.
Acclaimed Contributor
Dennis Handly
Posts: 24,978
Registered: ‎03-06-2006
Message 6 of 7 (161 Views)

Re: Verifying Patch Content

>no way to verify a patch that I install is digitally signed

I've heard that they are thinking about this for the future.

>JRF: Not the least of these is a 'cksum' value delivered in the 'INFO' file. Following installation, this file can be found in the /var/adm/sw directory.

You can also use swlist to list the checksums of the files in the fileset.
Please use plain text.
Honored Contributor
Bob E Campbell
Posts: 764
Registered: ‎03-31-2004
Message 7 of 7 (161 Views)

Re: Verifying Patch Content

As mentioned, patches are not digitally signed, but if downloaded with Software Assistant they are verified using MD5 hash.

For more on SWA check out https://www.hp.com/go/swa
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation