We’ll demonstrate the process for verifying a fileset with Digital Signature Block (DSB) in detail. For this, we’ll use the bos.net.tcp.ftp fileset update version 7.3.2.2, which we’ve stored in the temporary directory /tmp/lpps:

$ ls -lA /tmp/lpps
total 512
-rw-r--r--    1 root     system          443 Aug 16 12:35 .toc
-rw-r--r--    1 root     system       257280 Aug 16 12:35 bos.net.tcp.ftp.7.3.2.2.U
$

When installing a fileset, the new command (script) /usr/sbin/dsblkchk is first called to verify the digital signature. The “-d” option is specified as an argument, along with a temporary working directory and the absolute path of the fileset to be verified:

# dsblkchk -d /tmp /tmp/lpps/bos.net.tcp.ftp.7.3.2.2.U
# echo $?
0
# 

Note: We used /tmp as the working directory, while installp uses a temporary subdirectory under /admin/tmp.

An exit status of 0 means that the fileset has a DSB and the signature it contains was successfully verified. If the verification fails, a distinction is made between the following two possibilities:

• • Exit status 1: The included DSB is incorrect, or the digital signature was incorrect.
  • Exit status 2: The fileset does not contain a DSB.

Accordingly, the verification was successful in the above case. Verification using the old DSC procedure will no longer be performed in this case!

The shell script /usr/sbin/dsblkchk can also be called manually as root. Below, we describe the most important steps for the above fileset.

The script copies the fileset to be checked into a temporary working directory (variable DIR_LOCATION):

  +279                                  cp $PKG $DIR_LOCATION/  >/dev/null 2>&1

The command /usr/sbin/dsblkdet is then called to copy the fileset:

  +291  # call the dsblkdet function
  +292  dsblkdet -d $DIR_LOCATION $PKG_NAME >>$dsblk_echo_log 2>>$dsblk_echo_log

The command first checks whether the fileset contains a DSB at the end of the file. The DSB can be identified by the special “INUTUEYE” marker, the so-called DSB eye catcher. If the fileset does not contain a DSB, dsblkdet returns exit status 2, any temporary files created by the script are deleted, and dsblkchk exits with exit status 2:

  +293  if [[ $? -eq 2 ]]; then
  +294          echo "dsblkchk:No signature block found in pkg=$PKG_NAME, proceed with dsc inventory\n" >>$dsblk_echo_log
  +295          cleanup
  +296          exit 2
  +297  fi

If a DSB is found at the end of the fileset, the path to the public key to be used is stored in the file pkg_file.cert_loc. A check is then performed to see if the public key is also present on the system:

  +302  if [[ ! -f $(cat /$DIR_LOCATION/pkg_file.cert_loc) ]];then
  +303      echo "dsblkchk:$(cat /$DIR_LOCATION/pkg_file.cert_loc) is not present\n
  +304      in the system for pkg=$PKG_NAME, proceed with dsc inventory\n" >>$dsblk_echo_log
  +305      cleanup
  +306      exit 1
  +307  fi

The digital signature contained in the DSB is saved in the pkg_file.sig file. The DSB at the end of the fileset copy is removed (this is the reason why the fileset is copied to the temporary location).

The public key used to verify the signature must be located in the /etc/security/certificates directory. Any other directory is not permitted and will abort the verification:

  +309  #Make sure we are only using the certificate file located in "/etc/security/certificates"
  +310  secure_path=$(awk '{ sub("/[^/]*$", ""); print }' /$DIR_LOCATION/pkg_file.cert_loc)
  +311  if [[ "$secure_path" = "/etc/security/certificates" ]];then
  +312          key_location=$(cat /$DIR_LOCATION/pkg_file.cert_loc)
  +313  else
  +314          echo "dsblkchk:certificate file is not available in secure location\n" >>$dsblk_echo_log
  +315          cleanup
  +316          exit 1
  +317  fi

The final step is to verify the digital signature:

  +324          dsblk_out=$(LANG=C /usr/bin/openssl dgst -${key_hash} -verify $key_location -signature /$DIR_LOCATION/$Sig_file /$DIR_LOCATION/$PKG_NAME)

If the signature verification fails, the script exits with exit status 1:

  +327  if [[ "$dsblk_out" = "Verified OK" ]]; then
  +328          echo "dsblkchk:Signature validation is successful for pkg=$PKG_NAME\n" >>$dsblk_echo_log
  +329  else
  +330          echo "dsblkchk:Signature validation failed for pkg=$PKG_NAME\n" >>$dsblk_echo_log
  +331          cleanup
  +332          exit 1
  +333  fi

If the test is successful, the exit status is 0:

  +334  cleanup
  +335
  +336  exit 0

The cleanup function removes all temporary files and directories when the dsblkchk script terminates.

The process for verifying the digital signature with Digital Signature Block is much simpler than with the old version using Digital Signature Catalog.