pkgadm(1M)




NAME

     pkgadm - manage packaging and patching system


SYNOPSIS

     pkgadm addcert [-ty] [-a app] [-k keystore] [-e keyfile] [-f
     format] [-n name] [-P passarg] [-p import_passarg] [-R root-
     path] certfile

     pkgadm removecert [-a app] [-k keystore] -n  name  [-P  pas-
     sarg] [-R rootpath]

     pkgadm listcert [-a app] [-f format] [-k keystore]  -n  name
     [-P passarg] [-o outfile] [-R rootpath]

     pkgadm -V

     pkgadm -?


DESCRIPTION

     The pkgadm utility is used for managing  the  packaging  and
     patching  system.  It  has  several subcommands that perform
     various operations relating to packaging. The pkgadm command
     includes  subcommands  for  managing  certificates  and keys
     used.

  Managing Keys and Certificates
     pkgadm  maintains  the  packaging-system-wide  keystore   in
     /var/sadm/security,  and  individual  user's certificates in
     ~/.pkg/security. The following subcommands  operate  on  the
     package keystore database:

     addcert
           Add (import) a certificate  into  the  database,  with
           optional  trust.  Once added, trusted certificates can
           be used to verify signed packages  and  patches.  Non-
           trusted  user  certificates  and their associated keys
           can be used to sign packages and patches.  Added  user
           certificates  are not used to build certificate chains
           during certificate verification.

     removecert
           Removes a user  certificate/private  key  pair,  or  a
           trusted  certificate  authority  certificate  from the
           keystore. Once removed, the certificate and keys  can-
           not be used.

     listcert
           Print details of one or more certificates in the  key-
           store.


OPTIONS


     The following options are supported:

     -a app
           If this option is used, then the command only  affects
           the keystore associated with a particular application.
           Otherwise, the global keystore is affected.

     -e keyfile
           When adding a non-trusted certificate/key combination,
           this  option can be used to specify the file that con-
           tains the private key. If this option is not used, the
           private  key  must be in the same file as the certifi-
           cate being added.

     -f format
           When adding certificates, this specifies the format to
           expect  certificates  and  private  keys  in. Possible
           values when adding are:

           pem   Certificate and any private key uses PEM  encod-
                 ing.

           der   Certificate and any private key uses DER  encod-
                 ing.

           When printing certificates, this specifies the  output
           format  used when printing. Acceptable values for for-
           mat are:

           pem   Output each certificate using PEM encoding.

           der   Output each certificate using DER encoding.

           text  Output each certificate in  human-readable  for-
                 mat.

     -k keystore
           Overrides the default location used when accessing the
           keystore.

     -n name
           Identifies the entity in the store on which  you  want
           to  operate. When adding a user certificate, or remov-
           ing certificates, this name is required. The  name  is
           associated  with  the certificate/key combination, and
           when adding,  can  be  used  later  to  reference  the
           entity.  When  printing  certificates,  if no alias is
           supplied, then all keystore entities are printed.

     -o outfile
           Output the result of the command to outfile. Only used
           when  examining  (printing)  certificates from the key
           store. Standard out is the default.

     -P passarg
           Password retrieval method to use to  decrypt  keystore
           specified  with -k, if required. See PASS PHRASE ARGU-
           MENTS in pkgadd(1M) for  more  information  about  the
           format  of  this  option's  argument.  console  is the
           default.

     -p import_passarg
           This option's argument is identical to -P, but is used
           for  supplying the password used to decrypt the certi-
           ficate and/or private key being added. console is  the
           default.

     -R rootpath
           Defines the full name of a directory  to  use  as  the
           root (/) path. The default user location of the certi-
           ficate operations is ${HOME}/.pkg. If the -R option is
           supplied,  the  certificates  and  keys will be stored
           under  <altroot>/var/sadm/security.  Note  that   this
           operation  fails  if the user does not have sufficient
           permissions to access  this  directory.  The  listcert
           command  requires  read  permission, while addcert and
           removecert require both read and write permission.

     -t    Indicates the certificate being added is a trusted  CA
           certificate. The details of the certificate (including
           the Subject Name, Validity  Dates,  and  Fingerprints)
           are  printed and the user is asked to verify the data.
           This verification step can be skipped  with  -y.  When
           importing  a trusted certificate, a private key should
           not be supplied, and will  be  rejected  if  supplied.
           Once  a  certificate  is  trusted, it can be used as a
           trust anchor when verifying future untrusted  certifi-
           cates.

     -V    Print version associated with packaging tools.

     -y    When adding a trusted certificate, the details of  the
           certificate   (Subject  name,  Issuer  name,  Validity
           dates, Fingerprints) are shown to  the  user  and  the
           user   is  asked  to  verify  the  correctness  before
           proceeding. With -y, this additional verification step
           is skipped.

     -?    Print help message.


OPERANDS


     The following operand is supported:

     certfile
           File containing the certificate and  optional  private
           key,    used   when   adding   a   trust   anchor   or
           certificate/key  combination.  Certificates  must   be
           encoded using PEM or binary DER.


KEYSTORE ALIASES

     All keystore entries (user cert/key and trusted  certificate
     entries)  are accessed via unique aliases. Aliases are case-
     sensitive.

     An alias is specified when you add an entity to  a  keystore
     using  the  addcert  or trustcert subcommand. If an alias is
     not supplied for a trust anchor, the trust  anchor's  Common
     Name  is used as the alias. An alias is required when adding
     a  signing  certificate  or  chain  certificate.  Subsequent
     pkgcert  or  other  package tool commands must use this same
     alias to refer to the entity.


KEYSTORE PASSWORDS

     See pkgadd(1M) for a description of the  passwords  supplied
     to this utility.


EXAMPLES

     Example 1: Adding a Trust Anchor

     The following example adds a well-known and trusted certifi-
     cate to be used when verifying signatures on packages.

     example% pkgadm addcert -t /tmp/certfile.pem

     Example 2: Adding a Signing Certificate

     The following example adds a signing certificate and associ-
     ated private key, each of which is in a separate file, which
     can then be used to sign packages.

     example% pkgadm addcert -a pkgtrans -e /tmp/keyfile.pem \
     /tmp/certfile.pem

     Example 3: Printing Certificates

     The following example prints all certificates  in  the  root
     keystore.

     example% pkgadm listcert


EXIT STATUS

     0     successful completion

     non-zero
           fatal error


ATTRIBUTES

     See attributes(5) for descriptions of the  following  attri-
     butes:

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWpkgcmdsu                |
    |_____________________________|_____________________________|
    | Interface Stability         | Evolving                    |
    |_____________________________|_____________________________|


SEE ALSO

     pkginfo(1), pkgmk(1), pkgparam(1), pkgproto(1), pkgtrans(1),
     installf(1M),     pkgadd(1M),     pkgask(1M),     pkgrm(1M),
     removef(1M), admin(4), pkginfo(4), attributes(5)

     Application Packaging Developer's Guide


Man(1) output converted with man2html