pkgadm(1M)
NAME
pkgadm - manage packaging and patching system
SYNOPSIS
pkgadm addcert [-ty] [-a app] [-k keystore] [-e keyfile] [-f
format] [-n name] [-P passarg] [-p import_passarg] [-R root-
path] certfile
pkgadm removecert [-a app] [-k keystore] -n name [-P pas-
sarg] [-R rootpath]
pkgadm listcert [-a app] [-f format] [-k keystore] -n name
[-P passarg] [-o outfile] [-R rootpath]
pkgadm -V
pkgadm -?
DESCRIPTION
The pkgadm utility is used for managing the packaging and
patching system. It has several subcommands that perform
various operations relating to packaging. The pkgadm command
includes subcommands for managing certificates and keys
used.
Managing Keys and Certificates
pkgadm maintains the packaging-system-wide keystore in
/var/sadm/security, and individual user's certificates in
~/.pkg/security. The following subcommands operate on the
package keystore database:
addcert
Add (import) a certificate into the database, with
optional trust. Once added, trusted certificates can
be used to verify signed packages and patches. Non-
trusted user certificates and their associated keys
can be used to sign packages and patches. Added user
certificates are not used to build certificate chains
during certificate verification.
removecert
Removes a user certificate/private key pair, or a
trusted certificate authority certificate from the
keystore. Once removed, the certificate and keys can-
not be used.
listcert
Print details of one or more certificates in the key-
store.
OPTIONS
The following options are supported:
-a app
If this option is used, then the command only affects
the keystore associated with a particular application.
Otherwise, the global keystore is affected.
-e keyfile
When adding a non-trusted certificate/key combination,
this option can be used to specify the file that con-
tains the private key. If this option is not used, the
private key must be in the same file as the certifi-
cate being added.
-f format
When adding certificates, this specifies the format to
expect certificates and private keys in. Possible
values when adding are:
pem Certificate and any private key uses PEM encod-
ing.
der Certificate and any private key uses DER encod-
ing.
When printing certificates, this specifies the output
format used when printing. Acceptable values for for-
mat are:
pem Output each certificate using PEM encoding.
der Output each certificate using DER encoding.
text Output each certificate in human-readable for-
mat.
-k keystore
Overrides the default location used when accessing the
keystore.
-n name
Identifies the entity in the store on which you want
to operate. When adding a user certificate, or remov-
ing certificates, this name is required. The name is
associated with the certificate/key combination, and
when adding, can be used later to reference the
entity. When printing certificates, if no alias is
supplied, then all keystore entities are printed.
-o outfile
Output the result of the command to outfile. Only used
when examining (printing) certificates from the key
store. Standard out is the default.
-P passarg
Password retrieval method to use to decrypt keystore
specified with -k, if required. See PASS PHRASE ARGU-
MENTS in pkgadd(1M) for more information about the
format of this option's argument. console is the
default.
-p import_passarg
This option's argument is identical to -P, but is used
for supplying the password used to decrypt the certi-
ficate and/or private key being added. console is the
default.
-R rootpath
Defines the full name of a directory to use as the
root (/) path. The default user location of the certi-
ficate operations is ${HOME}/.pkg. If the -R option is
supplied, the certificates and keys will be stored
under <altroot>/var/sadm/security. Note that this
operation fails if the user does not have sufficient
permissions to access this directory. The listcert
command requires read permission, while addcert and
removecert require both read and write permission.
-t Indicates the certificate being added is a trusted CA
certificate. The details of the certificate (including
the Subject Name, Validity Dates, and Fingerprints)
are printed and the user is asked to verify the data.
This verification step can be skipped with -y. When
importing a trusted certificate, a private key should
not be supplied, and will be rejected if supplied.
Once a certificate is trusted, it can be used as a
trust anchor when verifying future untrusted certifi-
cates.
-V Print version associated with packaging tools.
-y When adding a trusted certificate, the details of the
certificate (Subject name, Issuer name, Validity
dates, Fingerprints) are shown to the user and the
user is asked to verify the correctness before
proceeding. With -y, this additional verification step
is skipped.
-? Print help message.
OPERANDS
The following operand is supported:
certfile
File containing the certificate and optional private
key, used when adding a trust anchor or
certificate/key combination. Certificates must be
encoded using PEM or binary DER.
KEYSTORE ALIASES
All keystore entries (user cert/key and trusted certificate
entries) are accessed via unique aliases. Aliases are case-
sensitive.
An alias is specified when you add an entity to a keystore
using the addcert or trustcert subcommand. If an alias is
not supplied for a trust anchor, the trust anchor's Common
Name is used as the alias. An alias is required when adding
a signing certificate or chain certificate. Subsequent
pkgcert or other package tool commands must use this same
alias to refer to the entity.
KEYSTORE PASSWORDS
See pkgadd(1M) for a description of the passwords supplied
to this utility.
EXAMPLES
Example 1: Adding a Trust Anchor
The following example adds a well-known and trusted certifi-
cate to be used when verifying signatures on packages.
example% pkgadm addcert -t /tmp/certfile.pem
Example 2: Adding a Signing Certificate
The following example adds a signing certificate and associ-
ated private key, each of which is in a separate file, which
can then be used to sign packages.
example% pkgadm addcert -a pkgtrans -e /tmp/keyfile.pem \
/tmp/certfile.pem
Example 3: Printing Certificates
The following example prints all certificates in the root
keystore.
example% pkgadm listcert
EXIT STATUS
0 successful completion
non-zero
fatal error
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWpkgcmdsu |
|_____________________________|_____________________________|
| Interface Stability | Evolving |
|_____________________________|_____________________________|
SEE ALSO
pkginfo(1), pkgmk(1), pkgparam(1), pkgproto(1), pkgtrans(1),
installf(1M), pkgadd(1M), pkgask(1M), pkgrm(1M),
removef(1M), admin(4), pkginfo(4), attributes(5)
Application Packaging Developer's Guide
Man(1) output converted with
man2html