how to apply signed patches to Studio 11 under Solaris 10?
I'm running Solaris 10 6/06 on a Sun W2100z (x86_64) workstation. I have a long history of experience with Solaris, but I'm not terribly familiar with the things that are new or different with 10, including zones and the new patch management tools.
I want to apply the latest patches to the various components of Studio 11, e.g. 120759-08,
121018-04, etc. Since all the other patches I've applied (for other OS subsets) have been "signed" patches, I was hoping to stay consisent and apply signed patches to Studio 11 too. I've been foiled at every attempt, though, so I'm looking for some help.
- if I use /usr/bin/updatemanager to select and attempt to apply the patches, I just get error
messages saying that the patches could not be applied:
[code]
121016-03 Sun Studio 11_x86: Patch for Sun C_x86 5.8 CompilerFailed
Utility used to install the update failed with exit code {0}.
120762-02 Sun Studio 11_x86: Patch for Performance Analyzer ToolsFailed
Install of update failed. Utility used to install the update is not able to add packages. Utility used to install the update failed with exit code 5.
[/code]
... and so on.
- if I try using "smpatch" to add the patch, I get this error:
[code]$sudo smpatch add -i 120759-08
add patch 120759-08
Transition old-style patching.
Patch 120759-08 failed to install due to a failure produced by pkgadd.
pkgadd: ERROR: The package <SPROlang> is currently installed on the system in the
global zone. To install the new instance of this package in the global
zone only, you must specify the -G option. To install the new instance
of this package in all zones you must first remove the existing instance
of this package from the global zone first (via pkgrm) and then install
the new instance of this package in all zones.
pkgadd: ERROR: package <SPROlang> cannot be installed on this system/zone
[/code]
- if I try to use "patchadd" directly with the jar file in the current directory, I get this:
[code]$sudo patchadd 120759-08
Validating patches...
Loading patches installed on the system...
Done!
Loading patches requested to install.
Done!
Checking patches that you specified for installation.
Done!
Approved patches will be installed in this order:
120759-08
Verifying signed patch <120759-08>...
Verifying digital signature for signer <es-signature>
ERROR: Signature verification failed while verifying certificate <subject=Sun Microsystems Inc Root CA, issuer=GTE CyberTrust Root>:<unable to get local issuer certificate>.
ERROR: Unable to verify signature for signer <es-signature>
Signature invalid on signed patch <120759-08>.
Patchadd is terminating.
[/code]
That's three strikes, and I'm out of ideas. Any suggestions for how one goes about applying signed patches for Studio 11? I'll switch to unsigned if I have to, but this seems like it shouldn't be this hard.
Thanks,
Tim
[3167 byte] By [
Enchanter] at [2007-11-26 9:46:39]
# 1
For Solaris 10 releases, Sun Studio 11 installer explicitly does a -G install,
therefore the patches must be installed or removed with -G, also.
example# patchadd -G /var/spool/patch/106326-01
example# patchrm -G 104945-02
We are in the process updating all released patches README files to reflect this
-Ngoc
# 2
But when I use patchadd, even with -G, it complains about the signature:
$sudo patchadd -G 120759-08
Validating patches...
Loading patches installed on the system...
Done!
Loading patches requested to install.
Done!
Checking patches that you specified for installation.
Done!
Approved patches will be installed in this order:
120759-08
Verifying signed patch <120759-08>...
Verifying digital signature for signer <es-signature>
ERROR: Signature verification failed while verifying certificate <subject=Sun Microsystems Inc Root CA, issuer=GTE CyberTrust Root>:<unable to get local issuer certificate>.
ERROR: Unable to verify signature for signer <es-signature>
Signature invalid on signed patch <120759-08>.
Patchadd is terminating.
According to the documentation on sunsolve for "signed patches", for Solaris 8 and earlier I would need to install SUNWcert to get Sun's CA info. For Solaris 9, nothing needs to be done because it's included with patchpro. There's absolutely no mention of Solaris 10.
So, what do I need to do for patchadd to be happy with these signed patches?
I'm perfectly happy using patchadd to apply the patches, but this also begs the question
of why Studio 11 patches even show up via updatemanager and smpatch if they can't
be applied using those tools?
# 3
Sun studio are not signed patches. So you may not be able to apply them on signed system. -G option only solved zoning issue, not signed system.-Ngoc
# 4
I agree that the -G option is useful for systems that support zones.
However, Sun clearly does provide signed patches for Sun Studio 11. Here's the compiler common patch page:
http://sunsolve.sun.com/search/advsearch.do?collection=PATCH&type=collectio ns&max=50&language=en&queryKey5=120759&toDocument=yes
and you only need to click on the "Download Signed Patch" HTTP link to get it.
Since it appears there's just no way to apply the signed patches, I'm going to go ahead and download the unsigned patches and proceed with them, but it seems like Sun's update/patch process is completely broken with respect to Studio 11.
Thanks for you help!
Tim
# 5
Hi Tim,
One of my team member is looking into this issue. We are trying to re-produce the issue. You are right. you can download signed Sun studio patches. And If you have signed solaris OS, you should be able to apply signed Sun studio patches.Will keep you posted. I alreaqdy set the watch on this thread. Will come back with our test result.
-Ngoc
# 6
Thanks Ngoc!I'll delay installing the unsigned patches (I'm not in desperate need of any of them at the moment) and I'll keep an eye on this thread too.Tim
# 7
Hi Tim,
I was unable to reproduce this situation. I tried with /usr/bin/updatemanager, smpatch and patchadd. Full success. But I didn't use "sudo", I tried everything under root.
Can you try the following:
1. Login as root and install -- do not use sudo. (Actually I'm not sure sudo is the problem, but please, check just in case).
2. Try to download and install unsigned patches as well -- just to determine if the problem in the signature, but not in the patch itself.
Thanks,
Misha
# 8
I tried your suggestion #1, and it didn't make any difference. Even when I log in to my workstation as root, I get the exact same results as I did when I used sudo.
updatemanager and smpatch both fail with a problem from pkgadd not using -G, and patchadd fails with a signature error. I think I need to retest patchadd though, because I made have executed that incorrectly. I'll retest and report back.
Note, though, that someone else has started a thread nearly identical to this one, and they're having exactly the same issue with "updatemanager", so I'm not the only person seeing this issue.
Tim
# 9
Hi Tim,
The update manager is used by all the patches within Sun for many products, not just Sun Studio. Sun Studio used -G for installation, thus patch, does not mean other products will do the same.But I hear your concern.
I will check with Sun update manager group to see if there is other work around solution. If not, I will open the request for enhancement against update manager, and if possible smpatch that allow to pass user's installation option, not predefined options.
-Ngoc
# 10
Dear all,
I just want to say that I am having identical problems to the ones reported (trying to apply sun studio 11 patches to solaris 10). None of the suggestions posted so far have worked for me.
So, I imagine that there are quite a few people out there who are waiting for a fix to this. Further comments would be very much appreciated.
Robert.
# 11
You can always install the unsigned patches.If you want to verify the signed patches by hand, you can try followingthe instructions on the "signed patch FAQ" here: http://sunsolve6.sun.com/pub-cgi/show.pl?target=patches/spfaq
# 12
You're right Chris, and that's pretty much what I'm going to end up doing.
The reason I started this thread was because I hoped that I was doing something wrong or dumb, because the alternative was that Sun is doing something dumb -- having patches show up in updatemanager that can't possibly be applied via updatemanager.
Think of all the people that are new to Solaris and Sun Studio but are trying them because there's no monetary cost associated. If they follow Sun's advice and use updatemanager for managing patches, one of the first things they're going to run into is this problem, which isn't going to make a great first impression.
My preferred solution would be for updatemanager and smpatch to be able to pass the -G to patchadd.
If that's not possible, then I would recommend that Sun make it so that Workshop patches don't even show up in updatemanager or smpatch. In my opinion, that's better than having them show up but be uninstallable.
Tim
# 13
I started a new thread on the updatemanager forum.
http://forum.sun.com/jive/thread.jspa?threadID=107410
I found that forum by googling for "updatemanager" and "zones", but
I couldn't find any recent information on this issue. It seems the
problem has been known about for a while now.
--chris
# 14
Thanks Chris.The moderator's post in that thread was definitely useful, and I've added a comment there too.sincerely,Frustrated User (Tim):-)
# 15
Hi Tim,
I was seeing the exact same behavior that you were. I ran across the following page in the System admin guide:
http://docs.sun.com/app/docs/doc/817-1985/6mhm8o62a?q=patch&a=view
It described how to import a trusted certificate. After that, I was able to get beyond the verification problem.
The next thing I ran into was a crash in one of the utilities called by /usr/lib/patch/patchadd. I dug a little bit without much success but did notice that /usr/lib/patch/patchadd is a shell script so I tried to run it standalone. Instead of giving it a /var/sadm/spool/120759-08 type directory, you give it the directory that was created by patchadd prior to the crash, namely /var/sadm/spool/120759-08.jar.dir/120759-08.
The patchadd crash may have been unique to me but I thought I'd mention it anyway. Hopefully, once you do the certificate import described, you'll be in good shape.
Jim
# 16
want to get back after my investigation.
The problem of passing -G is not with neither updatemanager or smpatch utilitIy. That is the problem is with patchadd. The Change Request is filed 6374972. Escalation was also filed. The fix is understood. Hopefully we can have the fix soon. Don't know the timeframe yet.
-Ngoc
# 17
I did some researches. Sun Studio patch need to run patchadd with -G option. But This is not the problem with neither updatemanager or smpatch utility. the problem is with patchadd. bug 6374972. Fix currently is on code review. -Ngoc
# 18
Thanks for the documentation pointer Jim! That helped a lot.
I ran into exactly the same segfault:
Verifying signed patch <120759-08>...
Verifying digital signature for signer <es-signature>
Digital signature for signer <es-signature> verified.
Verifying contents of signed patch </export/home/ndsu/mooney/sun/solaris/studio11-patches/x86/studio11/120759-0 8.jar>
Contents of signed patch </export/home/ndsu/mooney/sun/solaris/studio11-patches/x86/studio11/120759-0 8.jar> verified.
/usr/lib/patch/patchadd[24]: 2384 Segmentation Fault(coredump)
Signature invalid on signed patch <120759-08>.
Patchadd is terminating.
The core is from "patchutil".
Using your subsequent tip, I was able to install 120759-08 and 121016-03. I got segfaults from patchutil for both of them.
Tim
# 20
[message removed] -- it would have been a dupe anyway.
