Showing results for 
Search instead for 
Do you mean 

Verifying Patch Content

SOLVED
Go to Solution
Occasional Visitor

Verifying Patch Content

I looked in the swinstall man pages and saw no way to verify a patch that I install is digitally signed or that there was a checksum that was performed to validate the patch before install.
I did notice a cksum for each patch in the patch information page. Does HP-UX (11.11,11.23,11.31) offer any way to validate patch content before installing it via a signature or any other method?
If so can you point me to some examples or man pages?
1 ACCEPTED SOLUTIONS
Acclaimed Contributor Acclaimed Contributor

Re: Verifying Patch Content

Hi:

> I don't see a way to validate it at install time other than the way pointed out to look at the bulletin and cksum the files individually.

Various checks are performed during installation and/or whenever a 'swverify' is run to guarantee the integrity of a patch or product. Not the least of these is a 'cksum' value delivered in the 'INFO' file. Following installation, this file can be found in the '/var/adm/sw' directory.

Regards!

...JRF...
6 REPLIES
Exalted Contributor Exalted Contributor

Re: Verifying Patch Content

Shalom,

Every patch has a page in the HP-UX patch database that includes a checksum.

You can if you have the time verify the check sum of every patch using an OS utility.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Honored Contributor Honored Contributor

Re: Verifying Patch Content

Hi,

Please check this:
#swlist -dRv /fullpath/depot_file.depot
-or-
#swlist -dRv /fullpath/depot_dir

Detailed info:
#man swlist

Rgds.
Occasional Visitor

Re: Verifying Patch Content

Thanks.
I see that there is a is_secure row in the patch details with swlist -dRv @ /var/patch/depot/[patch_name].depot, it seems to indicate if a patch file is encrypted or not and if it requires a password (per the sd(4) doc). I don't see a way to validate it at install time other than the way pointed out to look at the bulletin and cksum the files individually. That seems like a lot of work. It's a shame HP doesn't offer a simpler way to do this for their own content.
Acclaimed Contributor Acclaimed Contributor

Re: Verifying Patch Content

Hi:

> I don't see a way to validate it at install time other than the way pointed out to look at the bulletin and cksum the files individually.

Various checks are performed during installation and/or whenever a 'swverify' is run to guarantee the integrity of a patch or product. Not the least of these is a 'cksum' value delivered in the 'INFO' file. Following installation, this file can be found in the '/var/adm/sw' directory.

Regards!

...JRF...
Acclaimed Contributor Acclaimed Contributor

Re: Verifying Patch Content

>no way to verify a patch that I install is digitally signed

I've heard that they are thinking about this for the future.

>JRF: Not the least of these is a 'cksum' value delivered in the 'INFO' file. Following installation, this file can be found in the /var/adm/sw directory.

You can also use swlist to list the checksums of the files in the fileset.
Highlighted
Honored Contributor Honored Contributor

Re: Verifying Patch Content

As mentioned, patches are not digitally signed, but if downloaded with Software Assistant they are verified using MD5 hash.

For more on SWA check out https://www.hp.com/go/swa