Digital Signature Policies (chsignpolicy)

Under Construction

Working with AIX > AIX Security > AIX Trusted Installation

Digital Signature Policies (chsignpolicy)

AIX Trusted Installation supports the following policies:

- none – Digital signatures are not verified. (Default)
- low – Digital signatures are verified, but any discrepancies are simply displayed as an error message. The installation proceeds regardless of the verification result.
- medium – Digital signatures are checked; if there are any discrepancies, an interactive query is made as to whether the installation should continue.
- high – Digital signatures are verified. If the verification fails, the installation aborts with an error message.

The configuration is done with the command chsignpolicy.

The currently set policy can be displayed with the “-p” option:

# chsignpolicy -p
#signpolicy
none
#

Note: The chsignpolicy command requires root privileges to run.

The currently set policy is stored in the device sys0:

$ lsattr -El sys0 -a signpolicy
signpolicy none Digital Signature Policy True
$

The possible policies can be displayed using the “-R” (range) option of chsignpolicy or lsattr:

# chsignpolicy -R
none
low
medium
high
#                             
$ lsattr -Rl sys0 -a signpolicy
none
low
medium
high
$

Note: The lsattr command can be called by any user (and is ultimately also used by chsignpolicy.)

A change to the policy can be made with the “-s” (set) option and takes effect immediately:

# chsignpolicy -s low
sys0 changed
# chsignpolicy -p
#signpolicy
low
#

To demonstrate the behavior of the different policies, we created some filesets for testing. Regarding digital signatures, there are three different cases of filesets (software packages):

- Fileset without digital signature (test.no_signature)
- Fileset with invalid signature (test.invalid_signature)
- Fileset with valid signature (test.valid_signature)

Case 1: Policy none (default)

We first set the digital signature policy to the default value none:

# chsignpolicy -s none
sys0 changed
#

Then we install the three test file sets:

# installp -ad . test.no_signature test.invalid_signature test.valid_signature
+-----------------------------------------------------------------------------+
                    Pre-installation Verification...
+-----------------------------------------------------------------------------+
Verifying selections...done
Verifying requisites...done
Results...
…
Installation Summary
--------------------
Name                        Level           Part        Event       Result
-------------------------------------------------------------------------------
test.no_signature           1.0.0.0         USR         APPLY       SUCCESS   
test.invalid_signature      1.0.0.0         USR         APPLY       SUCCESS   
test.valid_signature        1.0.0.0         USR         APPLY       SUCCESS   
#

As expected, all three filesets can be installed without problems and without verification.

Case 2: Policy low

Next, we set the policy to low:

# chsignpolicy -s low
sys0 changed
#

Then we install the 3 test file sets again:

# installp -ad . test.no_signature test.invalid_signature test.valid_signature
+-----------------------------------------------------------------------------+
                    Pre-installation Verification...
+-----------------------------------------------------------------------------+
Verifying selections...done
Verifying requisites...done
Results...
…
Verifying known package signatures of install source: /export/src/bff/.

Please wait...
INFO: Package /export/src/bff/test.invalid_signature.1.0.0.0.I failed signature verification.
INFO: Package /export/src/bff/test.no_signature.1.0.0.0.bff failed signature verification.
…
Installation Summary
--------------------
Name                        Level           Part        Event       Result
-------------------------------------------------------------------------------
test.no_signature           1.0.0.0         USR         APPLY       SUCCESS   
test.invalid_signature      1.0.0.0         USR         APPLY       SUCCESS   
test.valid_signature        1.0.0.0         USR         APPLY       SUCCESS   
#

This time the signatures are checked and if the verification fails, a corresponding message is displayed:

INFO: Package /export/src/bff/test.invalid_signature.1.0.0.0.I failed signature verification.
INFO: Package /export/src/bff/test.no_signature.1.0.0.0.bff failed signature verification.

Case 3: Policy medium

We now set the policy to medium:

# chsignpolicy -s medium
sys0 changed
#

Then we start the installation of the 3 test file sets again:

# installp -ad . test.no_signature test.invalid_signature test.valid_signature
+-----------------------------------------------------------------------------+
                    Pre-installation Verification...
+-----------------------------------------------------------------------------+
Verifying selections...done
Verifying requisites...done
Results...
…
Verifying known package signatures of install source: /export/src/bff/.

Please wait...
WARNING: Package /export/src/bff/test.invalid_signature.1.0.0.0.I failed signature verification. Continue? (y/n)
y
Continuing..
WARNING: Package /export/src/bff/test.no_signature.1.0.0.0.bff failed signature verification. Continue? (y/n)
Y
…
Installation Summary
--------------------
Name                        Level           Part        Event       Result
-------------------------------------------------------------------------------
test.no_signature           1.0.0.0         USR         APPLY       SUCCESS   
test.invalid_signature      1.0.0.0         USR         APPLY       SUCCESS   
test.valid_signature        1.0.0.0         USR         APPLY       SUCCESS   
#

The signatures are verified and if no signature is stored in the DSC, or the signature differs from the stored value, a warning is issued asking whether the installation should continue:

WARNING: Package /export/src/bff/test.invalid_signature.1.0.0.0.I failed signature verification. Continue? (y/n)

Note: If “n” is selected in one of the prompts, the entire installation will be aborted!

Case 4: Policy high

Finally, we set the policy to high:

# chsignpolicy -s high 
sys0 changed
#

We start the installation of the 3 test file sets again:

# installp -ad . test.no_signature test.invalid_signature test.valid_signature
+-----------------------------------------------------------------------------+
                    Pre-installation Verification...
+-----------------------------------------------------------------------------+
Verifying selections...done
Verifying requisites...done
Results...
…
Verifying known package signatures of install source: /export/src/bff/.

Please wait...
FAILURE: Package /export/src/bff/test.invalid_signature.1.0.0.0.I failed signature verification.
#

Note: When the first fileset with no signature or an incorrect signature is processed, the installation will be aborted!