Manualshelf

HP Secure Development Lifecycle

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 Virtual Server Operating Environment (VSE-OE) LTU
12345
3
HP-UX Packages
The software packages are shipped by HP on HP-UX in the form of a directory (directory depots) and files (tape
depot). The OE and AR media (DVD) shipped by HP can be mounted as a directory, whereas the software that is
available for download from http://software.hp.com as well as the patches from HPSC are available in the form of
a file, in a format named ‘tape depot’.
Signed HP-UX packages
Every software that is part of the HP-UX 11iv3 March 2013 (update) release, software on http://software.hp.com,
and patches released through HPSC post March 2013 is digitally signed by HP. The software depots contain the
digital signatures signed by HP Private Key for every installable software level (fileset, subproduct, product, bundle
and depot). This functionality allows you to be sure that the environment you are installing is indeed delivered by
HP, thus avoiding inadvertent installation of any malware or software.
Verification of HP-UX Software
HP’s signed packages can be verified for its authenticity and integrity before installing them on a HP-UX
system. SW-DIST and HP-UX Whitelistingcomponents delivered on HP-UX support verification of two formats -
directory depot and tape depots using the sw* commands and HP Public Key.
The signatures can be verified using these applications prior to any software installation. You can choose not to
install the software incase the signature verification fails.
Note:
The infrastructure supports only verification of the software that is either directly shipped by HP or
downloaded from HP supported location for HP-UX. Any software packages that are recreated using
swcopy by you cannot be completely verified using SW-DIST commands.
For a depot originally provided by HP, signature verification for depot metadata as well as all bundles,
products and filesets must pass.
To retain the complete depot signature verification, a file system copy of the depot must be done instead
of swcopy
Installing Required Software
SW-DIST and HP-UX Whitelisting, the required software for verifying any HP-UX software is available for download
from http://software.hp.com or as a part of the HP-UX 11iv3 update 1303. This functionality is supported only
with the versions of SW-DIST B.11.31.1303 or newer, and HP-UX Whitelisting B.01.01.07 or newer.
Solution
The following section describes the commands that can be used to verify the software packages for authenticity
before the installation.
Verifying a Signed Directory Depot
Typically, the HP-UX DVD media(OE and AR) is mounted as a directory depot and can be verified before igniting the
machine or installing the software.
swverify command should be used to verify the authenticity and integrity of a signed directory depot. It is the same
tool that had the legacy functionalities such as verification of the dependencies, file permissions, etc.
In order to verify signatures as well as legacy functionalities for a directory depot that is available in the location
/depots/sample.depot/”, “-x verify_signatures=trueoption should be used with swverify command.
swverify -d -x verify_signatures=true \* @ /depots/sample.depot/
In order to verify only the signatures in a signed directory depot that is available in the location
/depots/sample.depot/”, “-x verify_signatures_only=true” option should be used.
swverify -d -x verify_signatures_only=true \* @ /depots/sample.depot/
In order to specify your own public key path instead of the default, use “-x
public_key=/path/to/public/key” option. This option can only be used along with
-x verify_signatures_only=true” or “-x verify_signatures=true” option.
swverify -d -x verify_signatures_only=true -x public_key=/path/to/public/key \* @ /depots/sample.depot/