JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Packaging and Delivering Software With the Image Packaging System in Oracle Solaris 11.1     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

1.  IPS Design Goals, Concepts, and Terminology

2.  Packaging Software With IPS

3.  Installing, Removing, and Updating Software Packages

4.  Specifying Package Dependencies

5.  Allowing Variations

6.  Modifying Package Manifests Programmatically

7.  Automating System Change as Part of Package Installation

8.  Advanced Topics For Package Updating

9.  Signing IPS Packages

Signing Package Manifests

Defining Signature Actions

Publishing Signed Package Manifests

Troubleshooting Signed Packages

Chain Certificate Not Found

Authorized Certificate Not Found

Untrusted Self-Signed Certificate

Signature Value Does Not Match Expected Value

Unknown Critical Extension

Unknown Extension Value

Unauthorized Use of Certificate

Unexpected Hash Value

Revoked Certificate

10.  Handling Non-Global Zones

11.  Modifying Published Packages

A.  Classifying Packages

B.  How IPS Is Used To Package the Oracle Solaris OS

Troubleshooting Signed Packages

The pkgsign tool does not perform all possible checks for its inputs when signing packages. Therefore, it is important to check signed packages to ensure that they can be properly installed after being signed.

This section shows errors that can occur when attempting to install or update a signed package and provides explanations of the errors and solutions to the problems.

A signed package can fail to install or update for reasons that are unique to signed packages. For example, if the signature of a package fails to verify, or if the chain of trust cannot be verified or anchored to a trusted certificate, the package fails to install.

When installing signed packages, the following image and publisher properties influence the checks that are performed on packages:

Image properties

Publisher properties

See the pkg(1) man page for further information about these properties and their values.

Chain Certificate Not Found

The following error occurs when a certificate in the chain of trust is missing or otherwise erroneous.

pkg install: The certificate which issued this certificate:
/C=US/ST=California/L=Menlo Park/O=pkg5/CN=cs1_ch1_ta3/emailAddress=cs1_ch1_ta3
could not be found. The issuer is:
/C=US/ST=California/L=Menlo Park/O=pkg5/CN=ch1_ta3/emailAddress=ch1_ta3
The package involved is: pkg://test/example_pkg@1.0,5.11-0:20110919T184152Z

In this example, there were three certificates in the chain of trust when the package was signed. The chain of trust was rooted in the trust anchor, a certificate named ta3. The ta3 certificate signed a chain certificate named ch1_ta3, and ch1_ta3 signed a code signing certificate named cs1_ch1_ta3.

When the pkg command tried to install the package, it was able to locate the code signing certificate, cs1_ch1_ta3, but could not locate the chain certificate, ch1_ta3, so the chain of trust could not be established.

The most common cause of this problem is failing to provide the correct certificates to the -i option of pkgsign.

Authorized Certificate Not Found

The following error is similar to the error shown in the previous example but the cause is different.

pkg install: The certificate which issued this certificate:
/C=US/ST=California/L=Menlo Park/O=pkg5/CN=cs1_cs8_ch1_ta3/emailAddress=cs1_cs8_ch1_ta3
could not be found. The issuer is:
/C=US/ST=California/L=Menlo Park/O=pkg5/CN=cs8_ch1_ta3/emailAddress=cs8_ch1_ta3
The package involved is: pkg://test/example_pkg@1.0,5.11-0:20110919T201101Z

In this case, the package was signed using the cs1_cs8_ch1_ta3 certificate, which was signed by the cs8_ch1_ta3 certificate.

The problem is that the cs8_ch1_ta3 certificate was not authorized to sign other certificates. Specifically, the cs8_ch1_ta3 certificate had the basicConstraints extension set to CA:false and marked critical.

When the pkg command verifies the chain of trust, it does not find a certificate that is allowed to sign the cs1_cs8_ch1_ta3 certificate. Since the chain of trust cannot be verified from the leaf to the root, the pkg command prevents the package from being installed.

Untrusted Self-Signed Certificate

The following error occurs when a chain of trust ends in a self-signed certificate that is not trusted by the system.

pkg install: Chain was rooted in an untrusted self-signed certificate.
The package involved is:pkg://test/example_pkg@1.0,5.11-0:20110919T185335Z

When you create a chain of certificates using OpenSSL for testing, the root certificate is usually self-signed, since there is little reason to have an outside company verify a certificate that is only used for testing.

In a test situation, there are two solutions:

Signature Value Does Not Match Expected Value

The following error occurs when the value on the signature action could not be verified using the certificate that the action claims was paired with the key used to sign the package.

pkg install: A signature in pkg://test/example_pkg@1.0,5.11-0:20110919T195801Z
could not be verified for this reason:
The signature value did not match the expected value. Res: 0
The signature's hash is 0ce15c572961b7a0413b8390c90b7cac18ee9010

There are two possible causes for an error like this:

Unknown Critical Extension

The following error occurs when a certificate in the chain of trust uses a critical extension that pkg does not understand.

pkg install: The certificate whose subject is
/C=US/ST=California/L=Menlo Park/O=pkg5/CN=cs2_ch1_ta3/emailAddress=cs2_ch1_ta3
could not be verified because it uses a critical extension that pkg5 cannot
handle yet. Extension name:issuerAltName
Extension value:<EMPTY>

Until pkg learns how to process that critical extension, the only solution is to regenerate the certificate without the problematic critical extension.

Unknown Extension Value

The following error is similar to the previous error except that the problem is not with an unfamiliar critical extension but with a value that pkg does not understand for an extension that pkg does understand.

pkg install: The certificate whose subject is
/C=US/ST=California/L=Menlo Park/O=pkg5/CN=cs5_ch1_ta3/emailAddress=cs5_ch1_ta3
could not be verified because it has an extension with a value that pkg(5)
does not understand.
Extension name:keyUsage
Extension value:Encipher Only

In this case, pkg understands the keyUsage extension, but does not understand the value Encipher Only. The error looks the same whether the extension in question is critical or not.

The solution, until pkg learns about the value in question, is to remove the value from the extension, or remove the extension entirely.

Unauthorized Use of Certificate

The following error occurs when a certificate has been used for a purpose for which it was not authorized.

pkg install: The certificate whose subject is
/C=US/ST=California/L=Menlo Park/O=pkg5/CN=ch1_ta3/emailAddress=ch1_ta3
could not be verified because it has been used inappropriately.
The way it is used means that the value for extension keyUsage must include
'DIGITAL SIGNATURE' but the value was 'Certificate Sign, CRL Sign'.

In this case, the certificate ch1_ta3 has been used to sign the package. The keyUsage extension of the certificate means that the certificate is only valid to sign other certificates and CRLs (Certificate Revocation Lists).

Unexpected Hash Value

The following error indicates that the certificate has been changed since it was last retrieved from the publisher.

pkg install: Certificate
/tmp/ips.test.7149/0/image0/var/pkg/publisher/test/certs/0ce15c572961b7a0413b8390c90b7cac18ee9010
has been modified on disk. Its hash value is not what was expected.

The certificate at the provided path is used to verify the package being installed, but the hash of the contents on disk do not match what the signature action thought they should be.

The simple solution is to remove the certificate and allow pkg to download the certificate again.

Revoked Certificate

The following error indicates the certificate in question, which was in the chain of trust for the package to be installed, was revoked by the issuer of the certificate.

pkg install: This certificate was revoked:
/C=US/ST=California/L=Menlo Park/O=pkg5/CN=cs1_ch1_ta4/emailAddress=cs1_ch1_ta4
for this reason: None
The package involved is: pkg://test/example_pkg@1.0,5.11-0:20110919T205539Z