This chapter describes how to add, verify, and remove software packages by using the package commands.For information on the procedures associated with performing these tasks, see:Adding and Removing Signed Packages by Using the pkgadd Command (Task Map) Managing Software Packages by Using Package Commands (Task Map) The following task map describes software management tasks that you can perform with signed package commands.Task Description For Instructions Import a certificate. You can import a trusted certificate by using the pkgadm addcert command. How to Import a Trusted Certificate From the Java Keystore (pkgadm addcert) Print the details of one or more certificates. You can print the details of a certificate by using the pkgadm listcert command. How to Display Certificate Information (pkgadm listcert) Remove a certificate. You can remove a certificate by using the pkgadm removecert command. How to Remove a Certificate (pkgadm removecert) Set up a proxy server. Use this procedures for systems that are set up behind a firewall with a proxy. How to Set Up a Proxy Server (pkgadd) Add a signed package. After the root certificate is imported, you can add a signed package by using he pkgadd command. How to Add a Signed Package (pkgadd) The following procedures explain how to add and remove signed packages by using the pkgadd command.&rolestep.sgm;Verify that the root certificate authority (CA) certificate exists in the Java keystore.# keytool -storepass storepass -list -keystore certfilekeytoolManages a Java keystore (database) of private keys and their associated X.509 certificate chains that authenticate the corresponding public keys. Also manages certificates from trusted entities. For more information on the keytool utility, see keytool-Key and Certificate Management Tool. storepass storepassSpecifies the password that protects the integrity of the keystore. listBy default, prints the MD5 fingerprint of a certificate. keystore certfileSpecifies the name and location of the persistent keystore file. Export the root CA certificate from the Java keystore to a temporary file.# keytool -export -storepass storepass -alias verisignclass2g2ca -keystore /usr/java/jre/lib/security/cacerts certfile -file filenameexportExports the trusted certificate. storepass storepassSpecifies the password that protects the integrity of the Java keystore. alias verisignclass2g2caIdentifies the alias of the trusted certificate. keystore certfileSpecifies the name and location of the keystore file. file filenameIdentifies the file to hold the exported certificate. Import a trusted certificate to the package keystore.# pkgadm addcert -t -f format certfiletIndicates that the certificate is a trusted CA certificate. The output includes the details of the certificate, which the user is asked to verify. f formatSpecifies the format of certificates and private keys. When you import a certificate, it must be encoded using PEM or binary DER format. certfileSpecifies the file that contains the certificate. Remove the temporary file.# rm /tmp/file-nameFor more information, see the pkgadm1M man page. The following example shows how to import a trusted certificate. In this example, Sun's root CA certificate is imported from the Java keystore into the package keystore by using the keytool command.# keytool -export -storepass changeit -alias verisignclass2g2ca \ -keystore /usr/java/jre/lib/security/cacerts -file /tmp/root.crt Certificate stored in file </tmp/root.crt># pkgadm addcert -t -f der /tmp/root.crt Keystore Alias: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O Certificate Type: Trusted Certificate Issuer Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O Validity Dates: <May 18 00:00:00 1998 GMT> - <Aug 1 23:59:59 2028 GMT> MD5 Fingerprint: 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1 SHA1 Fingerprint: B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D Are you sure you want to trust this certificate? yes Trusting certificate </C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O> Type a Keystore protection Password. xxxxxx Press ENTER for no protection password (not recommended): For Verification: Type a Keystore protection Password. Press ENTER for no protection password (not recommended): Certificate(s) from </tmp/root.crt> are now trusted &rolestep.sgm;Display the contents of the package keystore.# pkgadm listcert -p passarg The following example shows how to display the details of a locally stored certificate.# pkgadm listcert -P pass:test123 Keystore Alias: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O Certificate Type: Trusted Certificate Issuer Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O Validity Dates: <May 18 00:00:00 1998 GMT> - <Aug 1 23:59:59 2028 GMT> MD5 Fingerprint: 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1 SHA1 Fingerprint: B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D &rolestep.sgm;Remove the trusted certificate from the package keystore.# pkgadm removecert -n "certfile"The removecert n “certfile” option specifies the alias of the user certificate/key pair or the alias of the trusted certificate.View the alias names for certificates by using the pkgadm listcert command. The following example shows how to remove a certificate.# pkgadm listcert Keystore Alias: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O Certificate Type: Trusted Certificate Issuer Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O Validity Dates: <May 18 00:00:00 1998 GMT> - <Aug 1 23:59:59 2028 GMT> MD5 Fingerprint: 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1 SHA1 Fingerprint: B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D # pkgadm removecert -n "/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O" Enter Keystore Password: storepass Successfully removed Certificate(s) with alias \ </C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O> If your system is behind a firewall with a proxy, you will need to set up a proxy server before you can add a package from an HTTP server by using the pkgadd command. &rolestep.sgm;Select one of the following methods to specify a proxy server.Specify the proxy server by using the http_proxy, HTTPPROXY, or HTTPPROXYPORT environment variable.For example:# setenv http_proxy http://mycache.domain:8080Or, specify one of the following:# setenv HTTPPROXY mycache.domain # setenv HTTPPROXYPORT 8080 Specify the proxy server on the pkgadd command line.For example:# pkgadd -x mycache.domain:8080 -d http://myserver.com/pkg SUNWpkg Create an administration file that includes proxy server information.For example:# cat /tmp/admin mail= instance=unique partial=ask runlevel=ask idepend=ask rdepend=ask space=ask setuid=ask conflict=ask action=ask networktimeout=60 networkretries=3 authentication=quit keystore=/var/sadm/security basedir=default proxy=mycache.domain:8080Then, identify the administration file by using the pkgadd a command. For example:# pkgadd -a /tmp/admin -d http://myserver.com/pkg SUNWpkg This procedure assumes that you have imported Sun's root CA certificate. For more information, see How to Import a Trusted Certificate From the Java Keystore (pkgadm addcert). &rolestep.sgm;Add a signed package.# pkgadd -d /pathname/device-nameThe d device-name option specifies the device from which the package is installed. The device can be a directory, tape, diskette, or removable disk. The device can also be a data stream created by the pkgtrans command. The following example shows how to add a signed package that is stored on the system.# # pkgadd -d /tmp/signed_pppd The following packages are available: 1 SUNWpppd Solaris PPP Device Drivers (sparc) 11.10.0,REV=2003.05.08.12.24 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: all Enter keystore password: ## Verifying signature for signer <User Cert 0> . . .The following example shows how to install a signed package using an HTTP URL as the device name. The URL must point to a stream-formatted package.# pkgadd -d http://install/signed-video.pkg ## Downloading... ..............25%..............50%..............75%..............100% ## Download Complete . . . The following task map describes the software management tasks that you can perform with the package commands for both signed and unsigned packages.Task Description For Instructions Add software packages to the local system. You can add software packages to the local system by using the pkgadd command. How to Add Software Packages (pkgadd) Add software packages to a spool directory. You can add software packages to a spool directory without actually installing the software. Adding a Software Package to a Spool Directory List information about all installed software packages. You can list information about installed packages by using the pkginfo command. How to List Information About All Installed Packages (pkginfo) Check the integrity of installed software packages. You can verify the integrity of installed software packages by using the pkgchk command. How to Check the Integrity of Installed Software Packages (pkgchk) Check the integrity of an installed object. You can verify the integrity of an installed object by using the pkchk command with the p and P options. The p option specifies the full path name. The new P option specifies a partial path name. How to Check the Integrity of Installed Objects (pkgchk -p, pkgchk -P) Remove software packages. You can remove unneeded software packages by using the pkgrm command. How to Remove Software Packages (pkgrm) The following procedures explain how to manage software packages by using package commands.&rolestep.sgm;Remove any already installed packages with the same names as the packages you are adding.pkgadd commandadding packages (how to)pkgadd commanda option (administration file)pkgadd commandd option (device name)packagesaddingpkgadd commandThis step ensures that the system keeps a proper record of software that has been added and removed. Sometimes, you might want to maintain multiple versions of the same application on the system. For strategies on maintaining multiple software copies, see Guidelines for Removing Packages (pkgrm). For task information, see How to Remove Software Packages (pkgrm). Add a software package to the system.# pkgadd -a admin-file -d device-name pkgid ...a admin-file(Optional) Specifies an administration file that the pkgadd command should check during the installation. For details about using an administration file, see Using an Administration File. d device-nameSpecifies the absolute path to the software packages. device-name can be the path to a device, a directory, or a spool directory. If you do not specify the path where the package resides, the pkgadd command checks the default spool directory (/var/spool/pkg). If the package is not there, the package installation fails. pkgid(Optional) Is the name of one or more packages, separated by spaces, to be installed. If omitted, the pkgadd command installs all available packages from the specified device, directory, or spool directory. If the pkgadd command encounters a problem during installation of the package, it displays a message related to the problem, followed by this prompt: Do you want to continue with this installation?Respond with yes, no, or quit. If more than one package has been specified, type no to stop the installation of the package being installed. The pkgadd command continues to install the other packages. Type quit to stop the installation. Verify that the package has been installed successfully.# pkgchk -v pkgidIf no errors occur, a list of installed files is returned. Otherwise, the pkgchk command reports the error. addinga package from a mounted CD (example of)CD-ROM devicesadding software from mounted CDexample ofSun software packagesadding (example of)The following example shows how install the SUNWpl5u package from a mounted Solaris 10 CD. The example also shows how to verify that the package files were installed properly. # pkgadd -d /media/Solaris_11/Product SUNWpl5u . . . Installation of <SUNWpl5u> was successful. # pkgchk -v SUNWpl5u /usr /usr/bin /usr/bin/perl /usr/perl5 /usr/perl5/5.8.4 . . . If the packages you want to install are available from a remote system, you can manually mount the directory that contains the packages (in package format) and install packages on the local system.addinga package, example ofremote package serversoftware installation from (example of)The following example shows how to install software packages from a remote system. In this example, assume that the remote system named package-server has software packages in the /latest-packages directory. The mount command mounts the packages locally on /mnt. The pkgadd command installs the SUNWpl5u package. # mount -F nfs -o ro package-server:/latest-packages /mnt # pkgadd -d /mnt SUNWpl5u . . . Installation of <SUNWpl5u> was successful.If the automounter is running at your site, you do not need to mount the remote package server manually. Instead, use the automounter path, in this case, /net/package-server/latest-packages, as the argument to the -d option. # pkgadd -d /net/package-server/latest-packages SUNWpl5u . . . Installation of <SUNWpl5u> was successful. pkgadd commanda option (administration file)noask_pkgadd administration fileremote package serversoftware installation fromaddingpackages from remote package server (example of)Sun software packagesinstallingThis example is similar to the previous example, except that it uses the a option and specifies an administration file named noask-pkgadd, which is illustrated in Avoiding User Interaction When Adding Packages (pkgadd). In this example, assume that the noask-pkgadd administration file is in the default location, /var/sadm/install/admin. # pkgadd -a noask-pkgadd -d /net/package-server/latest-packages SUNWpl5u . . . Installation of <SUNWpl5u> was successful. pkgadd commandadding packages (how to)using an HTTP URLThe following example shows how to install a package using an HTTP URL as the device name. The URL must point to a stream-formatted package.# pkgadd -d http://install/xf86-4.3.0-video.pkg ## Downloading... ..............25%..............50%..............75%..............100% ## Download Complete The following packages are available: 1 SUNWxf86r XFree86 Driver Porting Kit (Root) (i386) 4.3.0,REV=0.2003.02.28 2 SUNWxf86u XFree86 Driver Porting Kit (User) (i386) 4.3.0,REV=0.2003.02.28 . . . /var/spool/pkg directoryFor convenience, you can copy frequently installed packages to a spool directory. If you copy packages to the default spool directory, /var/spool/pkg, you do not need to specify the source location of the package (d device-name argument) when you use the pkgadd command. The pkgadd command, by default, checks the /var/spool/pkg directory for any packages that are specified on the command line. Note that copying packages to a spool directory is not the same as installing the packages on a system.&rolestep.sgm;Remove any already spooled packages with the same names as the packages you are adding.spool directoriesinstalling software packages to (how to)pkgadd commandspool directories andpkgadd commandd option (device name)pkgadd commands option (spool directory)verifyingsoftware package installationpkginfo commandverifyingsoftware package installation with pkginfo commandFor information on removing spooled packages, see Example 20–20. Add a software package to a spool directory.# pkgadd -d device-name -s spooldir pkgid ...d device-nameSpecifies the absolute path to the software packages. device-name can be the path to a device, a directory, or a spool directory. s spooldirSpecifies the name of the spool directory where the package will be spooled. You must specify a spooldir. pkgid(Optional) Is the name of one or more packages, separated by spaces, to be added to the spool directory. If omitted, the pkgadd command copies all available packages. Verify that the package has been copied successfully to the spool directory.$ pkginfo -d spooldir| grep pkgidIf pkgid was copied correctly, the pkginfo command returns a line of information about the pkgid. Otherwise, the pkginfo command returns the system prompt. pkgadd commandd option (device name)software packagesinstalling from a spool directory (example of)The following example shows how to transfer the SUNWman package from a mounted SPARC based Solaris 10 CD to the default spool directory (/var/spool/pkg). # pkgadd -d /media/Solaris_11/Product -s /var/spool/pkg SUNWman Transferring <SUNWman> package instance If packages you want to copy are available from a remote system, you can manually mount the directory that contains the packages, in package format, and copy them to a local spool directory.remote package serveradding packages to a spool directory (example of)pkgadd commands option (spool directory)The following example shows the commands for this scenario. In this example, assume that the remote system named package-server has software packages in the /latest-packages directory. The mount command mounts the package directory locally on /mnt. The pkgadd command copies the SUNWpl5p package from /mnt to the default spool directory (/var/spool/pkg). # mount -F nfs -o ro package-server:/latest-packages /mnt # pkgadd -d /mnt -s /var/spool/pkg SUNWpl5p Transferring <SUNWpl5p> package instanceIf the automounter is running at your site, you do not have to mount the remote package server manually. Instead, use the automounter path, in this case, /net/package-server/latest-packages, as the argument to the d option. # pkgadd -d /net/package-server/latest-packages -s /var/spool/pkg SUNWpl5p Transferring <SUNWpl5p> package instance /var/spool/pkg directory/pkg directorysoftware packagesinstallingaddingpackages from a spool directory (example of)spool directoriesinstalling software packages to (example of)pkgadd commandspool directories and (example of)The following example shows how to install the SUNWpl5p package from the default spool directory. When no options are used, the pkgadd command searches the /var/spool/pkg directory for the named packages. # pkgadd SUNWpl5p . . . Installation of <SUNWpl5p> was successful. pkginfo commandhow to usedisplayinginstalled software informationList information about installed packages by using the pkginfo command.$ pkginfo pkginfo commanddisplaying all packages installed (example of)listingpackage information (example of)This example shows how to list all packages installed on a local system, whether that system is a stand-alone system or a server. The output shows the primary category, package name, and the description of the package. $ pkginfo system SUNWaccr System Accounting, (Root) system SUNWaccu System Accounting, (Usr) system SUNWadmap System administration applications system SUNWadmc System administration core libraries . . . This example shows how to list all packages installed on a system by specifying the long format, which includes all available information about the designated packages.$ pkginfo -l SUNWcar PKGINST: SUNWcar NAME: Core Architecture, (Root) CATEGORY: system ARCH: sparc.sun4u VERSION: 11.9.0,REV=2002.04.06.15.27 BASEDIR: / VENDOR: Sun Microsystems, Inc. DESC: core software for a specific hardware platform group PSTAMP: leo20031003183400 INSTDATE: Feb 20 2004 16:57 HOTLINE: Please contact your local service provider STATUS: completely installed FILES: 114 installed pathnames 36 shared pathnames 40 directories 57 executables 21469 blocks used (approx) &rolestep.sgm;Check the status of an installed package.To check the file attributes and contents, type the following:# pkgchk -a| -c -v pkgid ... To specify the absolute path of the spool directory, type the following:# pkgchk -d spooldir pkgid ... aSpecifies to audit only the file attributes (the permissions), rather than the file attributes and the contents, which is the default. cSpecifies to audit only the file contents, rather than the file contents and attributes, which is the default. vSpecifies verbose mode, which displays file names as they are processed. d spooldirSpecifies the absolute path of the spool directory. pkgid(Optional) Is the name of one or more packages, separated by spaces. If you do not specify a pkgid, all the software packages installed on the system are checked. The following example shows how to check the contents of a package.# pkgchk -c SUNWbashIf no errors occur, the system prompt is returned. Otherwise, the pkgck command reports the error. filesverifying attributes for newly installed packagescheckinginstalled packages (example of)The following example shows how to check the file attributes of a package. # pkgchk -a SUNWbashIf no errors occur, the system prompt is returned. Otherwise, the pkgck command reports the error. spool directoriesinstalling software packages to (example of)addingpackages to a spool directory (example of)pkgchk commandusing (example of)verifyingsoftware installation (example of)The following example shows how to check a software package that was copied to a spool directory (/export/install/packages). # pkgchk -d /export/install/packages ## checking spooled package <SUNWadmap> ## checking spooled package <SUNWadmfw> ## checking spooled package <SUNWadmc> ## checking spooled package <SUNWsadml>The checks made on a spooled package are limited because not all information can be audited until a package is installed. This procedure explains how to use the pkgchk command to check the integrity of installed objects. The new P option enables you to specify a partial path. This option has been added to assist you in mapping files to packages. Use this option with the l option to list the information about the files that contain the partial path. Use the p option to check the integrity of installed objects by specifying the full path. For more information, see the pkgchk1M man page. &rolestep.sgm;Check the integrity of an installed object.To verify the integrity of an installed object for a full path name or path names, type the following:# pkgchk -lp path-name To verify the integrity of an installed object for a partial-path name or path names, type the following:# pkgchk -lP partial-path-name p pathChecks the accuracy only of the path name or path names that are listed. Path can be one or more path names separated by commas. Specifies to audit only the file attributes (the permissions), rather than the file attributes and the contents, which is the default. P partial-pathChecks the accuracy of only the partial path name or path names that are listed. The partial-path can be one or more partial path names separated by commas. Matches any path name that contains the string contained in the partial path. Specifies to audit only the file contents, rather than the file contents and attributes, which is the default. lLists information about the selected files that make up a package. This option is not compatible with the a, c, f, g, and v options. Specifies verbose mode, which displays file names as they are processed. This example shows you how to use the pkgchk lp command to check the contents/attributes of an object on a file system by a specifying the full path name. The l option lists information on the selected files that make up a package.# pkgchk -lp /usr/sbin/pkgadd Pathname: /usr/sbin/pkgadd Type: regular file Expected mode: 0555 Expected owner: root Expected group: sys Expected file size (bytes): 867152 Expected sum(1) of contents: 45580 Expected last modification: Jul 02 02:20:34 2004 Referenced by the following packages: SUNWpkgcmdsu Current status: installed This example shows you how to use the pkgchk lP command to check the contents/attributes of an object on a file system by a specifying a partial path name, such as a file or directory name. The l option lists information on the selected files that make up a package.# pkgchk -lP /sbin/pkgadd Pathname: /usr/sbin/pkgadd Type: regular file Expected mode: 0555 Expected owner: root Expected group: sys Expected file size (bytes): 867152 Expected sum(1) of contents: 45580 Expected last modification: Jul 02 02:20:34 2004 Referenced by the following packages: SUNWpkgcmdsu Current status: installed Pathname: /usr/sbin/pkgask Type: linked file Source of link: ../../usr/sbin/pkgadd Referenced by the following packages: SUNWpkgcmdsu Current status: installed To remove or uninstall a software package, use the associated tool that you used to add or install a software package. For example, if you used the Solaris installation GUI to install software, use the Solaris installation GUI to uninstall software.Do no use the rm command to remove software packages. Doing so will result in inaccuracies in the database that keeps track of all installed packages on the system. &rolestep.sgm;Remove an installed package.# pkgrm pkgid ...pkgid identifies the name of one or more packages, separated by spaces, to be removed. If omitted, the pkgrmcommand removes all available packages. This example shows how to remove a package.# pkgrm SUNWctu The following package is currently installed: SUNWctu Netra ct usr/platform links (64-bit) (sparc.sun4u) 11.9.0,REV=2001.07.24.15.53 Do you want to remove this package? y ## Removing installed package instance <SUNWctu> ## Verifying package dependencies. ## Processing package information. ## Removing pathnames in class <none> . . . This example shows how to remove a spooled package.# pkgrm -s /export/pkg SUNWaudh The following package is currently spooled: SUNWaudh Audio Header Files (sparc) 11.10.0,REV=2003.08.08.00.03 Do you want to remove this package? y Removing spooled package instance <SUNWaudh>