BladeSystem Forums have moved here
To make BladeSystem information easier to find, we have moved the BladeSystem forums here, to Servers and Operating Systems.
Showing results for 
Search instead for 
Do you mean 

Verifying Patch Content

SOLVED
Go to Solution
Occasional Visitor

Verifying Patch Content

I looked in the swinstall man pages and saw no way to verify a patch that I install is digitally signed or that there was a checksum that was performed to validate the patch before install.
I did notice a cksum for each patch in the patch information page. Does HP-UX (11.11,11.23,11.31) offer any way to validate patch content before installing it via a signature or any other method?
If so can you point me to some examples or man pages?
6 REPLIES
Exalted Contributor

Re: Verifying Patch Content

Shalom,

Every patch has a page in the HP-UX patch database that includes a checksum.

You can if you have the time verify the check sum of every patch using an OS utility.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Honored Contributor

Re: Verifying Patch Content

Hi,

Please check this:
#swlist -dRv /fullpath/depot_file.depot
-or-
#swlist -dRv /fullpath/depot_dir

Detailed info:
#man swlist

Rgds.
Occasional Visitor

Re: Verifying Patch Content

Thanks.
I see that there is a is_secure row in the patch details with swlist -dRv @ /var/patch/depot/[patch_name].depot, it seems to indicate if a patch file is encrypted or not and if it requires a password (per the sd(4) doc). I don't see a way to validate it at install time other than the way pointed out to look at the bulletin and cksum the files individually. That seems like a lot of work. It's a shame HP doesn't offer a simpler way to do this for their own content.
Acclaimed Contributor

Re: Verifying Patch Content

Hi:

> I don't see a way to validate it at install time other than the way pointed out to look at the bulletin and cksum the files individually.

Various checks are performed during installation and/or whenever a 'swverify' is run to guarantee the integrity of a patch or product. Not the least of these is a 'cksum' value delivered in the 'INFO' file. Following installation, this file can be found in the '/var/adm/sw' directory.

Regards!

...JRF...
Acclaimed Contributor

Re: Verifying Patch Content

>no way to verify a patch that I install is digitally signed

I've heard that they are thinking about this for the future.

>JRF: Not the least of these is a 'cksum' value delivered in the 'INFO' file. Following installation, this file can be found in the /var/adm/sw directory.

You can also use swlist to list the checksums of the files in the fileset.
Highlighted
Honored Contributor

Re: Verifying Patch Content

As mentioned, patches are not digitally signed, but if downloaded with Software Assistant they are verified using MD5 hash.

For more on SWA check out https://www.hp.com/go/swa