Manualshelf

HP Secure Development Lifecycle

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 Virtual Server Operating Environment (VSE-OE) LTU
12345
4
If the depot is located on a remote machine, the remote machine must have a version of SW-DIST and HP-UX
Whitelisting with versions B.11.31.1303 or newer and B.01.01.07 or newer respectively.
The complete details of signature verification can be obtained by running the swjob command displayed at the end
of the swverify session.
Note :
Currently, swverify verifies signatures for all the products in the depot irrespective of the software
specified.
Verification of authenticity and integrity of HP-UX software is by default turned off with swverify. The
required option has to be explicitly used with swverify to verify the authenticity of software in a HP-UX
depot.
Verifying a signed tape depot
Typically HP-UX software downloaded from http://software.hp.com and patches downloaded from patch hub will
be in the form tape depots (file). swsign command should be used to verify the authenticity and integrity of such
software ( tape depots).
In order to verify a tape depot located at /depots/sample.depot.
swsign –v –s /depots/sample.depot
In order to specify your own public key path instead of the default,k /path/to/public_key.pem option can be used
with swsign similar to swverify in the previous section.
Verification of HP-UX Patches
HP-UX patches downloaded from HP Support Centre website are in the form of tape depots. Any such patches can
be verified using the steps mentioned in “Verifying a signed tape depot”.
HP-UX patches included in the HP-UX update release OE media can be verified for their authenticity and integrity
using the steps mentioned in “Verifying a signed directory depot”.
Note: Only the patches included in HP-UX (update) release 1303 or later and posted in HPSC post March 2013 are
signed by HP.
Verification during Ignite or OE update
The authenticity and integrity verification of the new OE media DVD during igniting or updating the HP-UX OE level
to 1303 or later is a two step process. First, the taget OE media DVD needs to be mounted onto a HP-UX system.
Then the mounted OE bundle can be verified for its authenticity and integrity using the steps specified in “Verifying
the signed directory depot” section.
Conclusion
HP-UX software starting from March 2013 is digitally signed by HP, thus allowing you to differentiate between the
authorized software and potentially malicious software. This functionality empowers you to safe guard your
environment from malware.
Terminology
swsign /usr/sbin/swsign
swverify /usr/sbin/swverify
AR HP-UX Application Release
OE HP-UX Operating Environment
1303 March 2013
HPSC HP Support Centre (https://spp-pro-site1-athp.austin.hp.com/portal/site/hpsc/public)