Under Construction
Generating the digital signature of a fileset and adding it to the DSC
We’ll demonstrate how to create a digital signature using the fileset pwrcmps.test.dsc, which we created specifically for this purpose. For this demonstration, we copied the fileset’s BFF file to a separate directory (/tmp/lpps) and created a .toc file there:
$ ls -al /tmp/lpps
total 40
drwxr-xr-x 2 root system 256 Jul 28 19:05 ./
drwxrwxrwt 53 bin bin 8192 Jul 28 19:05 ../
-rw-r--r-- 1 root system 226 Jul 28 19:05 .toc
-rw-r--r-- 1 root system 6144 Jul 28 19:05 pwrcmps.test.dsc.1.0.0.0.bff
$
A verification with pkgverify is unsuccessful:
# pkgverify /tmp/lpps/pwrcmps.test.dsc.1.0.0.0.bff
# echo $?
6
#
Accordingly, an installation with Trusted Installation (signpolicy=high) fails:
# chsignpolicy -p
#signpolicy
high
# installp -ad /tmp/lpps pwrcmps.test.dsc
+-----------------------------------------------------------------------------+
Pre-installation Verification...
+-----------------------------------------------------------------------------+
Verifying selections...done
Verifying requisites...done
Results...
SUCCESSES
---------
Filesets listed in this section passed pre-installation verification
and will be installed.
Selected Filesets
-----------------
pwrcmps.test.dsc 1.0.0.0 # fileset to test trusted inst...
<< End of Success Section >>
+-----------------------------------------------------------------------------+
BUILDDATE Verification ...
+-----------------------------------------------------------------------------+
Verifying build dates...done
FILESET STATISTICS
------------------
1 Selected to be installed, of which:
1 Passed pre-installation verification
----
1 Total to be installed
Verifying known package signatures of install source: /tmp/lpps
Please wait...
FAILURE: Package /tmp/lpps/pwrcmps.test.dsc.1.0.0.0.bff failed signature verification.
#
For the fileset verification to be successful, an entry in the ODM dsc_inventory with the fileset’s digital signature is required. Each entry in this ODM has the following fields:
# ODMDIR=/usr/lib/objrepos odmshow dsc_inventory
class dsc_inventory {
char pkg_name[145]; /* offset: 0xc ( 12) */
char lpp_name[145]; /* offset: 0x9d ( 157) */
short ver; /* offset: 0x12e ( 302) */
short rel; /* offset: 0x130 ( 304) */
short mod; /* offset: 0x132 ( 306) */
short fix; /* offset: 0x134 ( 308) */
char ftype[4]; /* offset: 0x136 ( 310) */
vchar signature[1024]; /* offset: 0x13c ( 316) */
vchar timestamp[64]; /* offset: 0x140 ( 320) */
link dsc_key dsc_key id key[11]; /* offset: 0x144 ( 324) */
};
/*
descriptors: 10
structure size: 0x158 (344) bytes
data offset: 0x334
population: 18147 objects (18147 active, 0 deleted)
*/
#
The first fields (pkg_name to ftype) are easiest to obtain by using “installp -L”:
# installp -Ld /tmp/lpps
pwrcmps.test.dsc:pwrcmps.test.dsc:1.0.0.0::I:T:::::N:fileset to test trusted installation::::0::
#
This gives you the following values for these fields:
pkg_name = pwrcmps.test.dsc
lpp_name = pwrcmps.test.dsc
ver = 1
rel = 0
mod = 0
fix = 0
ftype = I
The timestamp value requires the date of the BFF file. The easiest way to get this is with “restore -T“. Note that pkgverify uses the TZ=CST6CDT time zone to determine the date! Accordingly, we must also run the restore command using this time zone:
$ TZ=CST6CDT restore -Tqvf /tmp/lpps/pwrcmps.test.dsc.1.0.0.0.bff 2>&1 | sed -n -e 's/.*backup: //p'
Mon Jul 28 12:03:59 2025
$
However, the timestamp format is not yet entirely correct. Spaces must be replaced with underscores, hyphens “–” are expected instead of “:” as a time separator, and any time zone CDT or CST must be removed:
$ TZ=CST6CDT restore -Tqvf /tmp/lpps/pwrcmps.test.dsc.1.0.0.0.bff 2>&1 | sed -n -e 's/C[DS]T //' -e 's/.*backup: //p' | tr " :" "_-"
Mon_Jul_28_12-03-59_2025
$
To determine the signature, we use the private key generated in Optional: Generate a digital certificate for Trusted Installation. This key belongs to the certificate with ID 04, so the key field must have the value “04“. The signature is required in Base64 format:
# openssl dgst -sha256 -sign private.pem /tmp/lpps/pwrcmps.test.dsc.1.0.0.0.bff | openssl base64
Enter pass phrase for private.pem: XXXXXXXXXX
gK/z1a1mIOb2eQQ8b8Pn2/nGh7vEs5nyStCk4ABFjN1rDbQGjpBym5DoLrk57xxX
u7UARol8z0pCoO4GtKPtDTro5IfMjgwZQ4pOoO73qXGTZF4vZjlGityMe9eE/4Iv
2rBnxck6y4c6Cqp7ECJBLXbBTWUoGVQUJYZxGh8A9Rfi37TakeQ/TVBwrcgPF+0O
oZvSlq6RJxUwuu24WNCIZMFaXl4M/7MtR+Pt5XYN/3h7j/15DsQxmUF/wojd1rfk
yEPTpitMwEMQ1DxzEjWF7PWXY3vhVB5A4uYmBBOooQxaQWgvnGyfAgkHi4eYFV7O
4KmZfpt3anR64l5nC2fGyg==
#
The output lines must be concatenated into a string because the signature field does not allow line feeds:
# openssl dgst -sha256 -sign private.pem /tmp/lpps/pwrcmps.test.dsc.1.0.0.0.bff | openssl base64 | while read line ; do echo -n $line ; done ; echo
Enter pass phrase for private.pem: XXXXXXXXXX
gK/z1a1mIOb2eQQ8b8Pn2/nGh7vEs5nyStCk4ABFjN1rDbQGjpBym5DoLrk57xxXu7UARol8z0pCoO4GtKPtDTro5IfMjgwZQ4pOoO73qXGTZF4vZjlGityMe9eE/4Iv2rBnxck6y4c6Cqp7ECJBLXbBTWUoGVQUJYZxGh8A9Rfi37TakeQ/TVBwrcgPF+0OoZvSlq6RJxUwuu24WNCIZMFaXl4M/7MtR+Pt5XYN/3h7j/15DsQxmUF/wojd1rfkyEPTpitMwEMQ1DxzEjWF7PWXY3vhVB5A4uYmBBOooQxaQWgvnGyfAgkHi4eYFV7O4KmZfpt3anR64l5nC2fGyg==
#
Note: We created a private key with a passphrase, which must be entered when calculating the signature.
This gives us the values for signature, timestamp and key:
signature = „gK/z1a1mIOb2eQQ8b8Pn2/nGh7vEs5nyStCk4ABFjN1rDbQGjpBym5DoLrk57xxXu7UARol8z0pCoO4GtKPtDTro5IfMjgwZQ4pOoO73qXGTZF4vZjlGityMe9eE/4Iv2rBnxck6y4c6Cqp7ECJBLXbBTWUoGVQUJYZxGh8A9Rfi37TakeQ/TVBwrcgPF+0OoZvSlq6RJxUwuu24WNCIZMFaXl4M/7MtR+Pt5XYN/3h7j/15DsQxmUF/wojd1rfkyEPTpitMwEMQ1DxzEjWF7PWXY3vhVB5A4uYmBBOooQxaQWgvnGyfAgkHi4eYFV7O4KmZfpt3anR64l5nC2fGyg==“
timestamp = „Mon_Jul_28_12-03-59_2025“
key = „04“
We add the required ODM entry to the DSC (ODM dsc_inventory):
# ODMDIR=/usr/lib/objrepos odmadd <<EOF
> dsc_inventory:
> pkg_name = "pwrcmps.test.dsc"
> lpp_name = "pwrcmps.test.dsc"
> ver = 1
> rel = 0
> mod = 0
> fix = 0
> ftype = "I"
> signature = "gK/z1a1mIOb2eQQ8b8Pn2/nGh7vEs5nyStCk4ABFjN1rDbQGjpBym5DoLrk57xxXu7UARol8z0pCoO4GtKPtDTro5IfMjgwZQ4pOoO73qXGTZF4vZjlGityMe9eE/4Iv2rBnxck6y4c6Cqp7ECJBLXbBTWUoGVQUJYZxGh8A9Rfi37TakeQ/TVBwrcgPF+0OoZvSlq6RJxUwuu24WNCIZMFaXl4M/7MtR+Pt5XYN/3h7j/15DsQxmUF/wojd1rfkyEPTpitMwEMQ1DxzEjWF7PWXY3vhVB5A4uYmBBOooQxaQWgvnGyfAgkHi4eYFV7O4KmZfpt3anR64l5nC2fGyg=="
> timestamp = "Mon_Jul_28_12-03-59_2025"
> key = "04"
>
> EOF
#
Verifying the digital signature of the fileset with pkgverify is now successful:
# pkgverify /tmp/lpps/pwrcmps.test.dsc.1.0.0.0.bff
Verified OK
#
This means that the fileset can now be installed successfully even after Trusted Installation has been activated:
# chsignpolicy -p
#signpolicy
high
# installp -ad /tmp/lpps pwrcmps.test.dsc
+-----------------------------------------------------------------------------+
Pre-installation Verification...
+-----------------------------------------------------------------------------+
Verifying selections...done
Verifying requisites...done
Results...
SUCCESSES
---------
Filesets listed in this section passed pre-installation verification
and will be installed.
Selected Filesets
-----------------
pwrcmps.test.dsc 1.0.0.0 # fileset to test trusted inst...
<< End of Success Section >>
+-----------------------------------------------------------------------------+
BUILDDATE Verification ...
+-----------------------------------------------------------------------------+
Verifying build dates...done
FILESET STATISTICS
------------------
1 Selected to be installed, of which:
1 Passed pre-installation verification
----
1 Total to be installed
Verifying known package signatures of install source: /tmp/lpps
Please wait...
+-----------------------------------------------------------------------------+
Installing Software...
+-----------------------------------------------------------------------------+
installp: APPLYING software for:
pwrcmps.test.dsc 1.0.0.0
Finished processing all filesets. (Total time: 1 secs).
+-----------------------------------------------------------------------------+
Summaries:
+-----------------------------------------------------------------------------+
Installation Summary
--------------------
Name Level Part Event Result
-------------------------------------------------------------------------------
pwrcmps.test.dsc 1.0.0.0 USR APPLY SUCCESS
#
If a new version of the fileset is created, the above steps must be repeated for the new version.