1pkgadm(1M)              System Administration Commands              pkgadm(1M)
2
3
4

NAME

6       pkgadm - manage packaging and patching system
7

SYNOPSIS

9       pkgadm addcert [-ty] [-a app] [-k keystore] [-e keyfile]
10            [-f format] [-n name] [-P passarg]
11            [-p import_passarg] [-R rootpath] certfile
12
13
14       pkgadm removecert [-a app] [-k keystore] -n name
15            [-P passarg] [-R rootpath]
16
17
18       pkgadm listcert [-a app] [-f format] [-k keystore] -n name
19            [-P passarg] [-o outfile] [-R rootpath]
20
21
22       pkgadm dbstatus [-R rootpath]
23
24
25       pkgadm sync [-R rootpath] [-q]
26
27
28       pkgadm -V
29
30
31       pkgadm -?
32
33

DESCRIPTION

35       The pkgadm utility is used for managing the packaging and patching sys‐
36       tem. It has several subcommands that perform various operations  relat‐
37       ing  to packaging. The pkgadm command includes subcommands for managing
38       certificates and keys used.
39
40   Managing Keys and Certificates
41       pkgadm maintains the packaging-system-wide keystore in  /var/sadm/secu‐
42       rity,  and  individual user's certificates in ~/.pkg/security. The fol‐
43       lowing subcommands operate on the package keystore database:
44
45       addcert
46
47           Add (import) a certificate into the database, with optional  trust.
48           Once added, trusted certificates can be used to verify signed pack‐
49           ages and patches. Non-trusted user certificates and  their  associ‐
50           ated keys can be used to sign packages and patches. Added user cer‐
51           tificates are not used to build certificate chains during  certifi‐
52           cate verification.
53
54
55       removecert
56
57           Removes  a user certificate/private key pair, or a trusted certifi‐
58           cate authority certificate from the  keystore.  Once  removed,  the
59           certificate and keys cannot be used.
60
61
62       listcert
63
64           Print details of one or more certificates in the keystore.
65
66
67       sync
68
69           Writes  the contents file and rolls the contents log file. With use
70           of the -q option, forces the contents file server to quit.
71
72
73   Internal Install Database
74       The Solaris operating system relies upon enhanced System V  revision  4
75       (SVr4) packages as the basis for its software installation and revision
76       management. The package maintenance software stores  information  about
77       installed packages in an internal database. The pkgadm subcomand dbsta‐
78       tus is used to determine how the package internal  database  is  imple‐
79       mented.  The  dbstatus command returns a string that indicates the type
80       of internal database in use. In the current implementation, the  dbsta‐
81       tus  command  always  returns the string text, which indicates that the
82       contents(4) package database is inuse. Future releases of Solaris might
83       supply alternative database implementations.
84

OPTIONS

86       The following options are supported:
87
88       -a app
89
90           If  this option is used, then the command only affects the keystore
91           associated with a particular  application.  Otherwise,  the  global
92           keystore is affected.
93
94
95       -e keyfile
96
97           When  adding a non-trusted certificate/key combination, this option
98           can be used to specify the file that contains the private  key.  If
99           this  option  is not used, the private key must be in the same file
100           as the certificate being added.
101
102
103       -f format
104
105           When adding certificates, this specifies the format to expect  cer‐
106           tificates and private keys in. Possible values when adding are:
107
108           pem
109
110               Certificate and any private key uses PEM encoding.
111
112
113           der
114
115               Certificate and any private key uses DER encoding.
116
117           When  printing  certificates, this specifies the output format used
118           when printing. Acceptable values for format are:
119
120           pem
121
122               Output each certificate using PEM encoding.
123
124
125           der
126
127               Output each certificate using DER encoding.
128
129
130           text
131
132               Output each certificate in human-readable format.
133
134
135
136       -k keystore
137
138           Overrides the default location used when accessing the keystore.
139
140
141       -n name
142
143           Identifies the entity in the store on which you  want  to  operate.
144           When adding a user certificate, or removing certificates, this name
145           is required. The name is associated with the certificate/key combi‐
146           nation, and when adding, can be used later to reference the entity.
147           When printing certificates, if no alias is supplied, then all  key‐
148           store entities are printed.
149
150
151       -o outfile
152
153           Output the result of the command to outfile. Only used when examin‐
154           ing (printing) certificates from the key store. Standard out is the
155           default.
156
157
158       -P passarg
159
160           Password retrieval method to use to decrypt keystore specified with
161           -k, if required. See PASS PHRASE ARGUMENTS in pkgadd(1M)  for  more
162           information  about the format of this option's argument. console is
163           the default.
164
165
166       -p import_passarg
167
168           This option's argument is identical to -P, but is used for  supply‐
169           ing the password used to decrypt the certificate and/or private key
170           being added. console is the default.
171
172
173       -q
174
175           (Applies to sync subcommand.) Shuts down the  contents  file  cache
176           daemon.
177
178
179       -R rootpath
180
181           Defines  the  full name of a directory to use as the root (/) path.
182           The  default  user  location  of  the  certificate  operations   is
183           ${HOME}/.pkg.  If  the  -R option is supplied, the certificates and
184           keys will be stored under  <altroot>/var/sadm/security.  Note  that
185           this  operation  fails if the user does not have sufficient permis‐
186           sions to access this directory. The listcert command requires  read
187           permission,  while  addcert  and  removecert  require both read and
188           write permission.
189
190           Note -
191
192             The root file system of any non-global zones must not  be  refer‐
193             enced with the -R option. Doing so might damage the global zone's
194             file system, might compromise the security of  the  global  zone,
195             and might damage the non-global zone's file system. See zones(5).
196
197
198       -t
199
200           Indicates  the certificate being added is a trusted CA certificate.
201           The details of the certificate (including the Subject Name,  Valid‐
202           ity  Dates,  and Fingerprints) are printed and the user is asked to
203           verify the data. This verification step can  be  skipped  with  -y.
204           When  importing  a trusted certificate, a private key should not be
205           supplied, and will be rejected if supplied. Once a  certificate  is
206           trusted,  it  can  be  used as a trust anchor when verifying future
207           untrusted certificates.
208
209
210       -V
211
212           Print version associated with packaging tools.
213
214
215       -y
216
217           When adding a trusted certificate, the details of  the  certificate
218           (Subject name, Issuer name, Validity dates, Fingerprints) are shown
219           to the user and the user is asked to verify the correctness  before
220           proceeding. With -y, this additional verification step is skipped.
221
222
223       -?
224
225           Print help message.
226
227

OPERANDS

229       The following operand is supported:
230
231       certfile
232
233           File containing the certificate and optional private key, used when
234           adding a trust anchor or certificate/key combination.  Certificates
235           must be encoded using PEM or binary DER.
236
237

KEYSTORE ALIASES

239       All  keystore  entries  (user cert/key and trusted certificate entries)
240       are accessed via unique aliases. Aliases are case-sensitive.
241
242
243       An alias is specified when you add an entity to a  keystore  using  the
244       addcert  or  trustcert  subcommand.  If  an alias is not supplied for a
245       trust anchor, the trust anchor's Common Name is used as the  alias.  An
246       alias  is  required when adding a signing certificate or chain certifi‐
247       cate. Subsequent pkgcert or other package tool commands must  use  this
248       same alias to refer to the entity.
249

KEYSTORE PASSWORDS

251       See the pkgadd(1M) man page for a description of the passwords supplied
252       to the pkgadm utility.
253

EXAMPLES

255       Example 1 Adding a Trust Anchor
256
257
258       The following example adds a well-known and trusted certificate  to  be
259       used when verifying signatures on packages.
260
261
262         example% pkgadm addcert -t /tmp/certfile.pem
263
264
265
266       Example 2 Adding a Signing Certificate
267
268
269       The following example adds a signing certificate and associated private
270       key, each of which is in a separate file, which can  then  be  used  to
271       sign packages.
272
273
274         example% pkgadm addcert -a pkgtrans -e /tmp/keyfile.pem \
275         /tmp/certfile.pem
276
277
278
279       Example 3 Printing Certificates
280
281
282       The following example prints all certificates in the root keystore.
283
284
285         example% pkgadm listcert
286
287
288

EXIT STATUS

290       0
291
292           successful completion
293
294
295       non-zero
296
297           fatal error
298
299

ATTRIBUTES

301       See attributes(5) for descriptions of the following attributes:
302
303
304
305
306       ┌─────────────────────────────┬─────────────────────────────┐
307       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
308       ├─────────────────────────────┼─────────────────────────────┤
309       │Availability                 │SUNWpkgcmdsu                 │
310       ├─────────────────────────────┼─────────────────────────────┤
311       │Interface Stability          │Evolving                     │
312       └─────────────────────────────┴─────────────────────────────┘
313

SEE ALSO

315       pkginfo(1),  pkgmk(1),  pkgparam(1), pkgproto(1), pkgtrans(1), svcs(1),
316       installf(1M),   pkgadd(1M),   pkgask(1M),    pkgrm(1M),    removef(1M),
317       svcadm(1M),    admin(4),    contents(4),    exec_attr(4),   pkginfo(4),
318       attributes(5), rbac(5), smf(5)
319
320
321
322

NOTES

324       The service for pkgadm is managed by the service  management  facility,
325       smf(5), under the service identifier:
326
327         svc:/system/pkgserv
328
329
330
331
332       Administrative actions on this service, such as enabling, disabling, or
333       requesting restart, can be performed using  svcadm(1M).  The  service's
334       status can be queried using the svcs(1) command.
335
336
337
338SunOS 5.11                        20 Mar 2009                       pkgadm(1M)
Impressum