Re: Verifying Patch Content (199 Views)
Reply
Occasional Visitor
scrv3
Posts: 2
Registered: ‎03-24-2011
Message 1 of 7 (199 Views)
Accepted Solution

Verifying Patch Content

I looked in the swinstall man pages and saw no way to verify a patch that I install is digitally signed or that there was a checksum that was performed to validate the patch before install.
I did notice a cksum for each patch in the patch information page. Does HP-UX (11.11,11.23,11.31) offer any way to validate patch content before installing it via a signature or any other method?
If so can you point me to some examples or man pages?
Exalted Contributor
Steven E. Protter
Posts: 33,806
Registered: ‎08-15-2002
Message 2 of 7 (199 Views)

Re: Verifying Patch Content

Shalom,

Every patch has a page in the HP-UX patch database that includes a checksum.

You can if you have the time verify the check sum of every patch using an OS utility.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Honored Contributor
Jose Mosquera
Posts: 1,013
Registered: ‎06-27-2002
Message 3 of 7 (199 Views)

Re: Verifying Patch Content

Hi,

Please check this:
#swlist -dRv /fullpath/depot_file.depot
-or-
#swlist -dRv /fullpath/depot_dir

Detailed info:
#man swlist

Rgds.
Occasional Visitor
scrv3
Posts: 2
Registered: ‎03-24-2011
Message 4 of 7 (199 Views)

Re: Verifying Patch Content

Thanks.
I see that there is a is_secure row in the patch details with swlist -dRv @ /var/patch/depot/[patch_name].depot, it seems to indicate if a patch file is encrypted or not and if it requires a password (per the sd(4) doc). I don't see a way to validate it at install time other than the way pointed out to look at the bulletin and cksum the files individually. That seems like a lot of work. It's a shame HP doesn't offer a simpler way to do this for their own content.
Acclaimed Contributor
James R. Ferguson
Posts: 21,184
Registered: ‎07-06-2000
Message 5 of 7 (199 Views)

Re: Verifying Patch Content

Hi:

> I don't see a way to validate it at install time other than the way pointed out to look at the bulletin and cksum the files individually.

Various checks are performed during installation and/or whenever a 'swverify' is run to guarantee the integrity of a patch or product. Not the least of these is a 'cksum' value delivered in the 'INFO' file. Following installation, this file can be found in the '/var/adm/sw' directory.

Regards!

...JRF...
Acclaimed Contributor
Dennis Handly
Posts: 25,210
Registered: ‎03-06-2006
Message 6 of 7 (199 Views)

Re: Verifying Patch Content

>no way to verify a patch that I install is digitally signed

I've heard that they are thinking about this for the future.

>JRF: Not the least of these is a 'cksum' value delivered in the 'INFO' file. Following installation, this file can be found in the /var/adm/sw directory.

You can also use swlist to list the checksums of the files in the fileset.
Honored Contributor
Bob E Campbell
Posts: 764
Registered: ‎03-31-2004
Message 7 of 7 (199 Views)

Re: Verifying Patch Content

As mentioned, patches are not digitally signed, but if downloaded with Software Assistant they are verified using MD5 hash.

For more on SWA check out https://www.hp.com/go/swa
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.