Under Construction
Digital signature for a self created file set (DSB)
If you want to install your own file sets after activating Trusted Installation, you need the following:
- A private key for generating the digital signature of a fileset.
- The public key associated with the private key.
- A DSB at the end of the fileset file.
The public key must be stored under /etc/security/certificates on each AIX system on which the fileset is to be installed. Entries in the dsc_key and dsc_keystore ODMs are not required for the DSB procedure and are not used. The digital signatures are stored in the form of a DSB directly at the end of the fileset files. This also eliminates the need for an entry in the dsc_inventory ODM.
We strongly recommend using the DSB method. The DSC method should no longer be used.
Below we show all necessary steps using a concrete example (fileset pwrcmps.test.dsb).
The generation of private key and public key has been shown earlier(Optional: Generate a digital certificate for Trusted Installation) and will not be repeated here. We’ll use the keys from earlier:
- private.pem
- public.pem
We created a new directory called /tmp/unsigned and stored our example fileset there:
$ ls -lA /tmp/unsigned
total 16
-rw-r--r-- 1 root system 234 Aug 16 14:05 .toc
-rw-r--r-- 1 root system 2560 Aug 16 14:04 pwrcmps.test.dsb.1.0.0.0.bff
$
A quick check with dsblkchk shows that the fileset does not contain a DSB:
# dsblkchk -d /tmp /tmp/unsigned/pwrcmps.test.dsb.1.0.0.0.bff
# echo $?
2
#
Note: Exit status 2 indicates the absence of a DSB.
First, we create the digital signature for the fileset using the private key private.pem:
$ openssl dgst -sha256 -sign private.pem -out sign.sha256 /tmp/unsigned/pwrcmps.test.dsb.1.0.0.0.bff
Enter pass phrase for private.pem: XXXXXXXX
$
Note: We created the private key private.pem with a passphrase, that’s why the passphrase must be specified when generating the signature.
The public key used for verification must be located in /etc/security/certificates on the target systems! Therefore, we copy our public key public.pem into this directory under the name mypublic.pem:
# cp public.pem /etc/security/certificates/mypublic.pem
#
The public key must be stored once on each system on which the above fileset is to be installed.
The next step is to generate a DSB with the generated signature (sign.sha256) and the public key to be used for verification. IBM provides the dsblkgen command for this purpose. The command has a manual page and is intended as a user command. The command accepts the key type, the generated digital signature, the path to the public key itself, and a file name under which the generated DSB should be saved:
# dsblkgen -f LOC sign.sha256 /etc/security/certificates/mypublic.pem dsb
#
Note: The type LOC indicates that the specified path to the public key should be stored in the DSB to be generated (file dsb, last argument).
The generated DSB is approximately 1 KB in size and consists of binary information. Let’s take a quick look at this binary file using od:
$ od -xa dsb
0000000 494e 5554 5545 5945 0000 0500 0000 0000
I N U T U E Y E nul nul enq nul nul nul nul nul
0000020 0000 0100 0000 0200 0000 0300 0000 0100
nul nul soh nul nul nul stx nul nul nul etx nul nul nul soh nul
0000040 0000 0002 0000 0000 0000 0000 0000 0000
nul nul nul stx nul nul nul nul nul nul nul nul nul nul nul nul
0000060 0000 0000 0000 0000 0000 0000 0000 0000
nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul
*
0000400 2a57 338e 018a 5986 6919 15e5 5ee6 b2c4
* W 3 so soh lf Y ack i em nak e ^ f 2 D
0000420 6abf 2fe4 1a84 bbe0 eea3 02ab 2e15 acd3
j ? / d sub eot ; ` n # stx + . nak , S
0000440 85be 9e45 948d a706 8baf 6ca6 7104 8aed
enq > rs E dc4 cr ' ack vt / l & q eot lf m
0000460 8e66 f320 4bc5 0204 a915 1277 61da 12a1
so f s sp K E stx eot ) nak dc2 w a Z dc2 !
0000500 d37c bae2 11bd d225 248d a800 6567 417a
S | : b dc1 = R % $ cr ( nul e g A z
0000520 c909 b9c0 3465 c19e bada 13bd 09da dc00
I ht 9 @ 4 e A rs : Z dc3 = ht Z \ nul
0000540 2563 c1bf dd68 1ed9 e5a3 45f6 379c f2a2
% c A ? ] h rs Y e # E v 7 fs r "
0000560 7ea9 115a ba54 8e7a ebed 8326 17ef c600
~ ) dc1 Z : T so z k m etx & etb o F nul
0000600 f447 b3aa 3620 dc38 0e8e f796 a381 1f88
t G 3 * 6 sp \ 8 so so w syn # soh us bs
0000620 655d 35f0 446e ffe8 4058 0eac 2586 0e03
e ] 5 p D n del h @ X so , % ack so etx
0000640 9141 779f d30c 9287 4a97 29c8 3fb7 458f
dc1 A w us S ff dc2 bel J etb ) H ? 7 E si
0000660 400f 98fb 2124 908b e9f4 37b8 a61f 3a2e
@ si can { ! $ dle vt i t 7 8 & us : .
0000700 6c36 d2cc 9fa0 c171 f624 9f1d f0a9 a668
l 6 R L us sp A q v $ us gs p ) & h
0000720 7804 9f31 a20b 26da 7a7b d2f7 caa9 148a
x eot us 1 " vt & Z z { R w J ) dc4 lf
0000740 0258 a011 71e3 7c7e 46ff 382b bdf0 5d3a
stx X sp dc1 q c | ~ F del 8 + = p ] :
0000760 9da8 17d2 666c 976a ce41 75b7 13c0 d80b
gs ( etb R f l etb j N A u 7 dc3 @ X vt
0001000 0000 0000 0000 0000 0000 0000 0000 0000
nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul
*
0001400 2f65 7463 2f73 6563 7572 6974 792f 6365
/ e t c / s e c u r i t y / c e
0001420 7274 6966 6963 6174 6573 2f6d 7970 7562
r t i f i c a t e s / m y p u b
0001440 6c69 632e 7065 6d00 0000 0000 0000 0000
l i c . p e m nul nul nul nul nul nul nul nul nul
0001460 0000 0000 0000 0000 0000 0000 0000 0000
nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul
*
0002360 0000 0000 0000 0500 494e 5554 5545 5945
nul nul nul nul nul nul enq nul I N U T U E Y E
0002400
$
The DSB eye catcher (“INUTUEYE“) appears at the beginning and end of the DSB. The first part of the DSB contains the digital signature from the sign.sha256 file, and the last part contains the path to the public key (/etc/security/certificates/mypublic.pem).
In the final step, the generated DSB must be appended to the fileset file. In the simplest case, this can be done with a “cat” command and output redirection with “>>“:
# ls -l pwrcmps.test.dsb.1.0.0.0.bff
-rw-r--r-- 1 root system 2560 Aug 16 14:26 pwrcmps.test.dsb.1.0.0.0.bff
# cat dsb >>pwrcmps.test.dsb.1.0.0.0.bff
# ls -l pwrcmps.test.dsb.1.0.0.0.bff
-rw-r--r-- 1 root. system 3840 Aug 16 14:26 pwrcmps.test.dsb.1.0.0.0.bff
#
However, we have created a separate subdirectory /tmp/signed for the signed version of the fileset and use the following version of “cat”:
# cat /tmp/unsigned/pwrcmps.test.dsb.1.0.0.0.bff dsb >/tmp/signed/pwrcmps.test.dsb.1.0.0.0.bff
#
If you compare the two fileset versions, you can see that the version with DSB is slightly larger:
$ ls -l /tmp/*signed/pwrcmps.test.dsb.1.0.0.0.bff
-rw-r--r-- 1 root system 3840 Aug 16 14:28 /tmp/signed/pwrcmps.test.dsb.1.0.0.0.bff
-rw-r--r-- 1 root system 2560 Aug 16 14:04 /tmp/unsigned/pwrcmps.test.dsb.1.0.0.0.bff
$
Before we try to install our own fileset, we briefly check the signature manually:
# dsblkchk -d /tmp /tmp/signed/pwrcmps.test.dsb.1.0.0.0.bff
# echo $?
0
#
The verification was successful (exit status 0). A DSB was found, and the contained digital signature could be verified.
Finally, we install our fileset:
# inutoc /tmp/signed
# chsignpolicy -p
#signpolicy
high
# installp -ad /tmp/signed pwrcmps.test.dsb
...
Verifying known package signatures of install source: /tmp/signed
Please wait...
+-----------------------------------------------------------------------------+
Installing Software...
+-----------------------------------------------------------------------------+
installp: APPLYING software for:
pwrcmps.test.dsb 1.0.0.0
Finished processing all filesets. (Total time: 0 secs).
+-----------------------------------------------------------------------------+
Summaries:
+-----------------------------------------------------------------------------+
Installation Summary
--------------------
Name Level Part Event Result
-------------------------------------------------------------------------------
pwrcmps.test.dsb 1.0.0.0 USR APPLY SUCCESS
#
The fileset was successfully installed under Trusted Installation. Additional custom filesets can be assigned a DSB in the same way.