Configuring package security

The delivery of the packages from the mirror you download from up to the install can be secured by using a GPG-signed catalog which itself contains md5 hashes for each packages ensuring that the delivered packages are identical to the officially released ones.

Installation

You can install the OpenCSW PKI package:

# /opt/csw/bin/pkgutil -i CSWcswpki

You may also want to trust the key:

# /opt/csw/bin/gpg --edit-key [email protected] trust

GPG public key

Key fingerprint:

4DCE 3C80 AAB2 CAB1 E60C  9A3C 05F4 2D66 9306 CC77

Here is the public key, which is used to sign the catalog files to verify package integrity across mirror sites. This ensures that the md5 hashes are not tampered with, which in turn ensure that the binaries themselves are not altered.

 
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (SunOS)

mQGiBE5d010RBACFnuTZNy8HN/exJ6yZxbNpguC7km/wepcr8LEu5kqWW0ZEdnTW
NP3rfS3NN/TrKQ26/32fk0Xnd7N/ce30Y5nqf+W/oqZuPnAGvY75yDAfKB2zMRkr
n6rmFAanQQgPGvHUAGM3TSw1ILgkMiuFasn+TwdnjeIIOZcMfv/TV5mHEwCg8l63
/6AdQYumwOzqQ4nmPhMwLSMD/0IZ1EzrjB/j42d8JeBtD+PKQnB8zDiihQjcB/A+
fSUhkZF64k8c0qZcvrr8qGc2oHID6j5wXpOeVm2UnddsqcDws8zloIQt3c0uvQOM
xPSBvanFXElw2HFtqIoGUF0WE6KAdGdKFY29VGtfxsajBa9pxgGuzC5tYOVJwUYd
3w+sA/42hzCPTqloNXvu3zALbjg3W5yJqbhfGkSPdUKkFk0q7ZDlcPwZl6wQFCAu
Oe+6qVdfnrfQbD3bx4Hmozp7cbvzbXHbHkEVIsYOf3zESsKyYq0mJm/7FUgw06o0
83sQjXkQXGF5ERFiMYyfgMmJdqG5kI9PI+R9UEbetdT8S51+U7QrT3BlbkNTVyBj
YXRhbG9nIHNpZ25pbmcgPGJvYXJkQG9wZW5jc3cub3JnPohgBBMRAgAgBQJOXdNd
AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQBfQtZpMGzHdr7ACdF3C0JdyP
0hG957g0hhX3z4kE8JQAn0ADOEp714+RADXd2EgPny8L4yIMuQINBE5d010QCAD8
4qkJn9v3ZuZ7UHAyn9kmvoHfIbydAsOa8X8/K110OuXNxFQOcExczv/8wNONkbUP
vQrpXAxWkDN6GefPRElrZrco3Z2wGNiRtcqqMhatBpp66FQbrVXH2vd/tSjT16tO
wh7PTTLJOb31dbN5vS2+CW5oDrVBgWHCdqbszHPToORuKSitWvcWA4AWxzf5KyMK
ola8Wwn2kEsV7pEPewgOOOWwCvA2VO9y34ArolENO0i7Zlwn94LNj6lfLnnZAwtQ
haAJgG3W/ay3Tose2KBKeXurQTf+7pRqnTDAWx61ewXoJH3k2e90Y6l1Sew8OSYh
53uTr3W1iyHXq0HET1dHAAMFB/4hSyoBAk2PThgAT7vpdVX/ZPt45vkTg3BueBiz
A4td2i2nbAarsh5qfOGJAqpsDH9BWVcbPvl/OM6tojKiis5U/Q9JB6cEu2UwTMmc
8wPhdTFKaJ+LY557haMu4kL1EygxnoMfQ3NPyivQPRAQILnYrKOLmYQ0q+rALVjQ
HNpcwpwbhP0X3Lq0/TNA0y+9SFbvSHCVAmeqJbPCgj9uLo4ghm1qDSSvhIO3jQTK
3ruz6XFsT0VbN9j/QWEcFCPGUkv9IYsCDn/mbvxJO13wTwWHIr2S+pLZQywmoOxV
pJKcdrLvDbT/oLT1b0aAEFIG+tRIN/0fjoihXpkBJVOABKIHiEkEGBECAAkFAk5d
010CGwwACgkQBfQtZpMGzHcq8ACgteZg/dolJUmtr4cQSxT8NEW5hc0AoLAJTdtc
TeAZQJm5uyrisfKrvBSU
=Xg9n
-----END  
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (SunOS)

mQGiBE5d010RBACFnuTZNy8HN/exJ6yZxbNpguC7km/wepcr8LEu5kqWW0ZEdnTW
NP3rfS3NN/TrKQ26/32fk0Xnd7N/ce30Y5nqf+W/oqZuPnAGvY75yDAfKB2zMRkr
n6rmFAanQQgPGvHUAGM3TSw1ILgkMiuFasn+TwdnjeIIOZcMfv/TV5mHEwCg8l63
/6AdQYumwOzqQ4nmPhMwLSMD/0IZ1EzrjB/j42d8JeBtD+PKQnB8zDiihQjcB/A+
fSUhkZF64k8c0qZcvrr8qGc2oHID6j5wXpOeVm2UnddsqcDws8zloIQt3c0uvQOM
xPSBvanFXElw2HFtqIoGUF0WE6KAdGdKFY29VGtfxsajBa9pxgGuzC5tYOVJwUYd
3w+sA/42hzCPTqloNXvu3zALbjg3W5yJqbhfGkSPdUKkFk0q7ZDlcPwZl6wQFCAu
Oe+6qVdfnrfQbD3bx4Hmozp7cbvzbXHbHkEVIsYOf3zESsKyYq0mJm/7FUgw06o0
83sQjXkQXGF5ERFiMYyfgMmJdqG5kI9PI+R9UEbetdT8S51+U7QrT3BlbkNTVyBj
YXRhbG9nIHNpZ25pbmcgPGJvYXJkQG9wZW5jc3cub3JnPohgBBMRAgAgBQJOXdNd
AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQBfQtZpMGzHdr7ACdF3C0JdyP
0hG957g0hhX3z4kE8JQAn0ADOEp714+RADXd2EgPny8L4yIMuQINBE5d010QCAD8
4qkJn9v3ZuZ7UHAyn9kmvoHfIbydAsOa8X8/K110OuXNxFQOcExczv/8wNONkbUP
vQrpXAxWkDN6GefPRElrZrco3Z2wGNiRtcqqMhatBpp66FQbrVXH2vd/tSjT16tO
wh7PTTLJOb31dbN5vS2+CW5oDrVBgWHCdqbszHPToORuKSitWvcWA4AWxzf5KyMK
ola8Wwn2kEsV7pEPewgOOOWwCvA2VO9y34ArolENO0i7Zlwn94LNj6lfLnnZAwtQ
haAJgG3W/ay3Tose2KBKeXurQTf+7pRqnTDAWx61ewXoJH3k2e90Y6l1Sew8OSYh
53uTr3W1iyHXq0HET1dHAAMFB/4hSyoBAk2PThgAT7vpdVX/ZPt45vkTg3BueBiz
A4td2i2nbAarsh5qfOGJAqpsDH9BWVcbPvl/OM6tojKiis5U/Q9JB6cEu2UwTMmc
8wPhdTFKaJ+LY557haMu4kL1EygxnoMfQ3NPyivQPRAQILnYrKOLmYQ0q+rALVjQ
HNpcwpwbhP0X3Lq0/TNA0y+9SFbvSHCVAmeqJbPCgj9uLo4ghm1qDSSvhIO3jQTK
3ruz6XFsT0VbN9j/QWEcFCPGUkv9IYsCDn/mbvxJO13wTwWHIr2S+pLZQywmoOxV
pJKcdrLvDbT/oLT1b0aAEFIG+tRIN/0fjoihXpkBJVOABKIHiEkEGBECAAkFAk5d
010CGwwACgkQBfQtZpMGzHcq8ACgteZg/dolJUmtr4cQSxT8NEW5hc0AoLAJTdtc
TeAZQJm5uyrisfKrvBSU
=Xg9n
-----END

gpg verification is optional. If you wish to have the catalog file (with its list of checksums for each package) verified by gpg, then you should save this page and add the public key to your root “keyring”. For example:

# /opt/csw/bin/wget -q -O - http://www.opencsw.org/security/ | /opt/csw/bin/gpg --import -