Configuring package security
The delivery of the packages from the mirror you download from up to the install can be secured by using a GPG-signed catalog which itself contains md5 hashes for each packages ensuring that the delivered packages are identical to the officially released ones.
Installation
You can install the OpenCSW PKI package:
# /opt/csw/bin/pkgutil -i CSWcswpki
You may also want to trust the key:
# /opt/csw/bin/gpg --edit-key board@opencsw.org trust
GPG public key
Key fingerprint:
4DCE 3C80 AAB2 CAB1 E60C 9A3C 05F4 2D66 9306 CC77
Here is the public key, which is used to sign the catalog files to verify package integrity across mirror sites. This ensures that the md5 hashes are not tampered with, which in turn ensure that the binaries themselves are not altered.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.9 (SunOS) mQGiBE5d010RBACFnuTZNy8HN/exJ6yZxbNpguC7km/wepcr8LEu5kqWW0ZEdnTW NP3rfS3NN/TrKQ26/32fk0Xnd7N/ce30Y5nqf+W/oqZuPnAGvY75yDAfKB2zMRkr n6rmFAanQQgPGvHUAGM3TSw1ILgkMiuFasn+TwdnjeIIOZcMfv/TV5mHEwCg8l63 /6AdQYumwOzqQ4nmPhMwLSMD/0IZ1EzrjB/j42d8JeBtD+PKQnB8zDiihQjcB/A+ fSUhkZF64k8c0qZcvrr8qGc2oHID6j5wXpOeVm2UnddsqcDws8zloIQt3c0uvQOM xPSBvanFXElw2HFtqIoGUF0WE6KAdGdKFY29VGtfxsajBa9pxgGuzC5tYOVJwUYd 3w+sA/42hzCPTqloNXvu3zALbjg3W5yJqbhfGkSPdUKkFk0q7ZDlcPwZl6wQFCAu Oe+6qVdfnrfQbD3bx4Hmozp7cbvzbXHbHkEVIsYOf3zESsKyYq0mJm/7FUgw06o0 83sQjXkQXGF5ERFiMYyfgMmJdqG5kI9PI+R9UEbetdT8S51+U7QrT3BlbkNTVyBj YXRhbG9nIHNpZ25pbmcgPGJvYXJkQG9wZW5jc3cub3JnPohgBBMRAgAgBQJOXdNd AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQBfQtZpMGzHdr7ACdF3C0JdyP 0hG957g0hhX3z4kE8JQAn0ADOEp714+RADXd2EgPny8L4yIMuQINBE5d010QCAD8 4qkJn9v3ZuZ7UHAyn9kmvoHfIbydAsOa8X8/K110OuXNxFQOcExczv/8wNONkbUP vQrpXAxWkDN6GefPRElrZrco3Z2wGNiRtcqqMhatBpp66FQbrVXH2vd/tSjT16tO wh7PTTLJOb31dbN5vS2+CW5oDrVBgWHCdqbszHPToORuKSitWvcWA4AWxzf5KyMK ola8Wwn2kEsV7pEPewgOOOWwCvA2VO9y34ArolENO0i7Zlwn94LNj6lfLnnZAwtQ haAJgG3W/ay3Tose2KBKeXurQTf+7pRqnTDAWx61ewXoJH3k2e90Y6l1Sew8OSYh 53uTr3W1iyHXq0HET1dHAAMFB/4hSyoBAk2PThgAT7vpdVX/ZPt45vkTg3BueBiz A4td2i2nbAarsh5qfOGJAqpsDH9BWVcbPvl/OM6tojKiis5U/Q9JB6cEu2UwTMmc 8wPhdTFKaJ+LY557haMu4kL1EygxnoMfQ3NPyivQPRAQILnYrKOLmYQ0q+rALVjQ HNpcwpwbhP0X3Lq0/TNA0y+9SFbvSHCVAmeqJbPCgj9uLo4ghm1qDSSvhIO3jQTK 3ruz6XFsT0VbN9j/QWEcFCPGUkv9IYsCDn/mbvxJO13wTwWHIr2S+pLZQywmoOxV pJKcdrLvDbT/oLT1b0aAEFIG+tRIN/0fjoihXpkBJVOABKIHiEkEGBECAAkFAk5d 010CGwwACgkQBfQtZpMGzHcq8ACgteZg/dolJUmtr4cQSxT8NEW5hc0AoLAJTdtc TeAZQJm5uyrisfKrvBSU =Xg9n -----END -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.9 (SunOS) mQGiBE5d010RBACFnuTZNy8HN/exJ6yZxbNpguC7km/wepcr8LEu5kqWW0ZEdnTW NP3rfS3NN/TrKQ26/32fk0Xnd7N/ce30Y5nqf+W/oqZuPnAGvY75yDAfKB2zMRkr n6rmFAanQQgPGvHUAGM3TSw1ILgkMiuFasn+TwdnjeIIOZcMfv/TV5mHEwCg8l63 /6AdQYumwOzqQ4nmPhMwLSMD/0IZ1EzrjB/j42d8JeBtD+PKQnB8zDiihQjcB/A+ fSUhkZF64k8c0qZcvrr8qGc2oHID6j5wXpOeVm2UnddsqcDws8zloIQt3c0uvQOM xPSBvanFXElw2HFtqIoGUF0WE6KAdGdKFY29VGtfxsajBa9pxgGuzC5tYOVJwUYd 3w+sA/42hzCPTqloNXvu3zALbjg3W5yJqbhfGkSPdUKkFk0q7ZDlcPwZl6wQFCAu Oe+6qVdfnrfQbD3bx4Hmozp7cbvzbXHbHkEVIsYOf3zESsKyYq0mJm/7FUgw06o0 83sQjXkQXGF5ERFiMYyfgMmJdqG5kI9PI+R9UEbetdT8S51+U7QrT3BlbkNTVyBj YXRhbG9nIHNpZ25pbmcgPGJvYXJkQG9wZW5jc3cub3JnPohgBBMRAgAgBQJOXdNd AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQBfQtZpMGzHdr7ACdF3C0JdyP 0hG957g0hhX3z4kE8JQAn0ADOEp714+RADXd2EgPny8L4yIMuQINBE5d010QCAD8 4qkJn9v3ZuZ7UHAyn9kmvoHfIbydAsOa8X8/K110OuXNxFQOcExczv/8wNONkbUP vQrpXAxWkDN6GefPRElrZrco3Z2wGNiRtcqqMhatBpp66FQbrVXH2vd/tSjT16tO wh7PTTLJOb31dbN5vS2+CW5oDrVBgWHCdqbszHPToORuKSitWvcWA4AWxzf5KyMK ola8Wwn2kEsV7pEPewgOOOWwCvA2VO9y34ArolENO0i7Zlwn94LNj6lfLnnZAwtQ haAJgG3W/ay3Tose2KBKeXurQTf+7pRqnTDAWx61ewXoJH3k2e90Y6l1Sew8OSYh 53uTr3W1iyHXq0HET1dHAAMFB/4hSyoBAk2PThgAT7vpdVX/ZPt45vkTg3BueBiz A4td2i2nbAarsh5qfOGJAqpsDH9BWVcbPvl/OM6tojKiis5U/Q9JB6cEu2UwTMmc 8wPhdTFKaJ+LY557haMu4kL1EygxnoMfQ3NPyivQPRAQILnYrKOLmYQ0q+rALVjQ HNpcwpwbhP0X3Lq0/TNA0y+9SFbvSHCVAmeqJbPCgj9uLo4ghm1qDSSvhIO3jQTK 3ruz6XFsT0VbN9j/QWEcFCPGUkv9IYsCDn/mbvxJO13wTwWHIr2S+pLZQywmoOxV pJKcdrLvDbT/oLT1b0aAEFIG+tRIN/0fjoihXpkBJVOABKIHiEkEGBECAAkFAk5d 010CGwwACgkQBfQtZpMGzHcq8ACgteZg/dolJUmtr4cQSxT8NEW5hc0AoLAJTdtc TeAZQJm5uyrisfKrvBSU =Xg9n -----END
gpg verification is optional. If you wish to have the catalog file (with its list of checksums for each package) verified by gpg, then you should save this page and add the public key to your root “keyring”. For example:
# /opt/csw/bin/wget -q -O - http://www.opencsw.org/security/ | /opt/csw/bin/gpg --import -