Blastwave™ in 5 steps
GPG Key for Blastwave™
The old GPG Key for Blastwave.org has been expired. It is no longer valid.
Be sure to update your keyrings thus:
# /opt/csw/bin/gpg --keyserver pgp.mit.edu --recv-keys A1999E90
See more details on the mirrors page.
Step 1: Be Patched Up To Date
I can not stress this enough. You can not expect your operating system to be at peak performance and stability if you do not perform regular software maintainance. At the very least you will need to apply the Solaris Recommended patch cluster. After that is complete you may then proceed.
Step 2: Install pkgutil
To do much of anything you will need pkgutil on your system.
Solaris 8 & 9 Users: You need to fetch the correct pkgutil package from Network.com thus:
Then you need to manually install the package thus:
# cd /tmp
# /opt/csw/bin/wget http://download.blastwave.org/csw/pkgutil_`/sbin/uname -p`.pkg
--2009-04-11 06:47:31-- http://download.blastwave.org/csw/pkgutil_sparc.pkg
Connecting to 192.168.35.7:8080... connected.
Proxy request sent, awaiting response... 200 OK
Length: 325632 (318K) [application/octet-stream]
Saving to: `pkgutil_sparc.pkg'
0K .... 100% 287K=1.1s
2009-04-11 06:47:33 (287 KB/s) - `pkgutil_sparc.pkg' saved [325632/325632]
# digest -a md5 pkgutil_sparc.pkg
e80958ffd5d92bc85c01dd89d764ae0f
# pkgadd -d ./pkgutil_sparc.pkg
The following packages are available:
1 CSWpkgutil pkgutil - Installs Solaris packages easily
(sparc) 1.6.1,REV=2009.06.15
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:
Processing package instance <CSWpkgutil> from </tmp/pkgutil_sparc.pkg>
pkgutil - Installs Solaris packages easily(sparc) 1.6.1,REV=2009.06.15
Please see /opt/csw/share/doc/pkgutil/license for license information.
## Processing package information.
## Processing system information.
10 package pathnames are already properly installed.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.
This package contains scripts which will be executed with super-user
permission during the process of installing this package.
Do you want to continue with the installation of <CSWpkgutil> [y,n,?] y
Installing pkgutil - Installs Solaris packages easily as <CSWpkgutil>
## Installing part 1 of 1.
/etc/opt/csw/pkgutil.conf.CSW
/opt/csw/bin/bldcat
/opt/csw/bin/chkcat
/opt/csw/bin/pkgutil
/opt/csw/etc/pkgutil.conf.CSW
/opt/csw/libexec/pkgutil/wget
/opt/csw/share/doc/pkgutil/license
/opt/csw/share/doc/pkgutil/readme
/opt/csw/share/man/man1/pkgutil.1
/var/opt/csw/pkgutil/admin.CSW
[ verifying class <none> ]
## Executing postinstall script.
Installation of <CSWpkgutil> was successful.
# cp -p /opt/csw/etc/pkgutil.conf.CSW /etc/opt/csw/pkgutil.conf
Solaris 10 & Nevada or OpenSolaris™ Users:
# uname -a
SunOS callistoz 5.10 Generic_141414-09 sun4u sparc SUNW,Sun-Fire-480R
# pkgadd -G -d http://download.blastwave.org/csw/pkgutil_`/sbin/uname -p`.pkg
## Downloading...
..............25%..............50%..............75%..............100%
## Download Complete
The following packages are available:
1 CSWpkgutil pkgutil - Installs Solaris packages easily
(sparc) 1.6.2,REV=2010.01.28_rev=bw
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:
Processing package instance <CSWpkgutil> from <http://download.blastwave.org/csw/pkgutil_sparc.pkg>
pkgutil - Installs Solaris packages easily(sparc) 1.6.2,REV=2010.01.28_rev=bw
+-----------------------------------------------------------------------+
| |
| GNU GENERAL PUBLIC LICENSE |
| Version 2, June 1991 |
| |
| Copyright (C) 1989, 1991 Free Software Foundation, Inc. |
| 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
| Everyone is permitted to copy and distribute verbatim copies |
| of this license document, but changing it is not allowed. |
| |
| see /opt/csw/share/doc/pkgutil/license for entire verbatim license. |
| |
+-----------------------------------------------------------------------+
Using </> as the package base directory.
## Processing package information.
## Processing system information.
9 package pathnames are already properly installed.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.
This package contains scripts which will be executed with super-user
permission during the process of installing this package.
Do you want to continue with the installation of <CSWpkgutil> [y,n,?] y
Installing pkgutil - Installs Solaris packages easily as <CSWpkgutil>
## Installing part 1 of 1.
/opt/csw/bin/bldcat
/opt/csw/bin/chkcat
/opt/csw/bin/pkgutil
/opt/csw/libexec/pkgutil/md5
/opt/csw/libexec/pkgutil/wget
/opt/csw/share/doc/pkgutil/admin.pkgutil
/opt/csw/share/doc/pkgutil/license
/opt/csw/share/doc/pkgutil/pkgutil.conf
/opt/csw/share/doc/pkgutil/readme
/opt/csw/share/man/man1/bldcat.1
/opt/csw/share/man/man1/chkcat.1
/opt/csw/share/man/man1/pkgutil.1
[ verifying class <none> ]
## Executing postinstall script.
INFO : /etc/opt/csw/pkgutil.conf found! Thank you.
WARNING : A software package admin file was not found
: at /var/opt/csw/pkgutil/admin
: A default admin file will be created for you.
INFO : The pkgutil software has been installed at/opt/csw/bin/pkgutil
: Please verify that you have a pkgutil.conf file at /etc/opt/csw
: and a storage area for software catalogs and downloaded files
: at /var/opt/csw/pkgutil and /var/opt/csw/pkgutil/packages.
: +-----------------------------------------------------+
: | The FIRST Action to take once you verify that you |
: | have a pkgutil.conf file setup is to fetch the most |
: | recent software catalog thus |
: | |
: | /opt/csw/bin/pkgutil --catalog |
: | |
: | Be sure to read the HOWTO documents at |
: | |
: | http://www.blastwave.org/ |
: | |
: | Also please join the user forums at |
: | |
: | http://wiki.blastwave.org/forum/index.php |
: +-----------------------------------------------------+
Installation of <CSWpkgutil> was successful.
Step 3: Fetch the Software catalog
If you look closely you will see a copy of wget is included with pkgutil. This means that pkgutil will work out of the box regardless of what rev of Solaris you are on. You don't need to worry about OpenSSL or WGET or even about basic configuration. That is all done for you.
The first thing you NEED to do is fetch the software catalog.
Special NOTE: You may need a proxy setup!
If you need a web HTTP proxy for access to the internet then be sure to create a .wgetrc file for the root user that looks like so:
.wgetrc
progress=dot:mega
ftp_proxy=http://192.168.35.7:8080
http_proxy=http://192.168.35.7:8080
Choose an IP address and port number that works for your environment.
# /opt/csw/bin/pkgutil --catalog
Fetching new catalog if available...
--01:41:49-- http://download.blastwave.org/csw/unstable/i386/5.8/catalog
=> `/var/opt/csw/pkgutil/catalog.i386.5.8.0'
Connecting to 192.168.35.7:8080... connected.
Proxy request sent, awaiting response... 200 OK
Length: 375,014 [text/plain]
0K ..... 100% 342.27 KB/s
01:41:52 (342.27 KB/s) - `/var/opt/csw/pkgutil/catalog.i386.5.8.0' saved [375014/375014]
Step 4: Security First!
All of the software from Blastwave⢠is delivered via digitally signed software catalogs. You need to ensure that your catalogs are correct and have not been tampered with.
Install GNU GPG as well as the ability to verify MD5 hash values thus:
# /opt/csw/bin/pkgutil --install gnupg textutils
Parsing catalog, may take a while...
New packages: CSWcommon CSWisaexec CSWexpat CSWiconv CSWncurses CSWggettext
CSWbzip2 CSWzlib CSWreadline CSWtextutils CSWgnupg
Total size: 9.2 MB
11 packages to fetch. Do you want to continue? [Y,n]
Once you have CSWgnupg installed (RFC 2440 compliant tool for secure communication) then you must fetch the Blastwave.org GPG digital key and import that key into your local key ring.
You may fetch the Blastwave key in four possible ways:
-
Manually copy and paste the key into a local file.
Simply look at the key on the Blastwave website and then use vi to put it into a local file:
-
Fetch and install a complete edition of wget and then use it to fetch the key
To get a full copy of CSWwget you need to run pkgutil again thus :
- /opt/csw/bin/pkgutil --install wget
Once that is complete use wget to fetch and import the key like so :
- /opt/csw/bin/wget http://www.blastwave.org/gpg_key.txt
- /opt/csw/bin/gpg --import gpg_key.txt
-
Use gpg to fetch the key directly from a key server. In this case you can run gpg directly to fetch the key from the MIT keyserver:
# /opt/csw/bin/gpg --keyserver pgp.mit.edu --recv-keys A1999E90
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: requesting key A1999E90 from hkp server pgp.mit.edu
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key A1999E90: public key âBlastwave Software (Blastwave.org Inc.) <software@blastwave.org>â imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
- Use the wget binary that is included in the pkgutil tool package
The best method to use is option #3 above. If you have access to the internet directly then please perform step #3. Otherwise the last method is very safe and almost certainly reasonable for a server that does not have direct access to the internet.
Method #4 looks like so:
# cd /tmp
# /opt/csw/libexec/pkgutil/wget http://www.blastwave.org/gpg_key.txt
--02:28:22-- http://www.blastwave.org/gpg_key.txt
=> `gpg_key.txt'
Connecting to 192.168.35.7:8080... connected.
Proxy request sent, awaiting response... 200 OK
Length: 1,734 [text/plain]
0K 100% 1.65 MB/s
02:28:22 (1.65 MB/s) - `gpg_key.txt' saved [1734/1734]
# /opt/csw/bin/gpg --import gpg_key.txt
gpg: directory `//.gnupg' created
gpg: new configuration file `//.gnupg/gpg.conf' created
gpg: WARNING: options in `//.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `//.gnupg/secring.gpg' created
gpg: keyring `//.gnupg/pubring.gpg' created
gpg: //.gnupg/trustdb.gpg: trustdb created
gpg: key A1999E90: public key "Blastwave Software (Blastwave.org Inc.) <software@blastwave.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
The last step to take is to actually employ the digital signature checks and MD5 hash verification that has been provided to you. To do this you need to do three things:
1) Verify that you have the key. Use the gpg --list-keys command:
# /opt/csw/bin/gpg --list-keys
//.gnupg/pubring.gpg
--------------------
pub 1024D/A1999E90 2008-08-17 [expires: 2011-08-17]
uid Blastwave Software (Blastwave.org Inc.) <software@blastwave.org>
sub 2048g/E4845389 2008-08-17 [expires: 2011-08-17]
2 ) Mark the key as being trusted for a given purpose. In this case you want to trust the signed software catalogs from Blastwave. To do this you need to edit the key and mark it as being trusted thus:
# /opt/csw/bin/gpg --edit-key A1999E90
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 1024D/A1999E90 created: 2008-08-17 expires: 2011-08-17 usage: SC
trust: unknown validity: unknown
sub 2048g/E4845389 created: 2008-08-17 expires: 2011-08-17 usage: E
[ unknown] (1). Blastwave Software (Blastwave.org Inc.) <software@blastwave.org>
Command> Trust
pub 1024D/A1999E90 created: 2008-08-17 expires: 2011-08-17 usage: SC
trust: unknown validity: unknown
sub 2048g/E4845389 created: 2008-08-17 expires: 2011-08-17 usage: E
[ unknown] (1). Blastwave Software (Blastwave.org Inc.) <software@blastwave.org>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub 1024D/A1999E90 created: 2008-08-17 expires: 2011-08-17 usage: SC
trust: ultimate validity: unknown
sub 2048g/E4845389 created: 2008-08-17 expires: 2011-08-17 usage: E
[ unknown] (1). Blastwave Software (Blastwave.org Inc.) <software@blastwave.org>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
Command> quit
3) Lastly you need to modify the pkgutil configuration to actually use this GPG key as well as to verify the MD5 hashes of the software packages. Edit the pkgutil.conf file that you copied into /etc/opt/csw such that the lines related to GPG and MD5 are not commented out. Your pkgutil.conf should look like so:
# Configuration file for pkgutil
#
# Nothing below is mandatory to change, pkgutil will use the default values
# noted below for each option unless something is uncommented
# Mirror to use for downloads
# See http://www.blastwave.org/mirrors.php for alternative mirrors
# Default: http://download.blastwave.org/csw/unstable
#mirror=http://download.blastwave.org/csw/unstable
# Solaris 10: If you wish to limit pkgutil to installing packages
# only to the global zone, then uncomment this line. Note that pkgrm does not
# have the same option
# WARNING: do not modify this unless you know what you're doing
# Default: blank
#pkgaddopts=-G
# Flags for use with wget, e.g. "-nv" for less verbose or "-q" for quiet
# WARNING: do not modify this unless you know what you're doing
# Default: blank
#wgetopts=-q
# To enable use of gpg or md5, uncomment these
# NOTE: it doesn't make sense to use md5 but not gpg so your options should be:
# 1. both disabled, 2. gpg enabled, 3. both enabled.
# Default: false, false
use_gpg=true
use_md5=true
The End Result is a secure mechanism for software delivery
You're final step is to fetch a new catalog and this time you will see that the GPG digital signature will be verified for you:
# /opt/csw/bin/pkgutil --catalog
Fetching new catalog if available...
--02:53:52-- http://download.blastwave.org/csw/unstable/i386/5.8/catalog
=> `/var/opt/csw/pkgutil/catalog.i386.5.8.0'
Connecting to 192.168.35.7:8080... connected.
Proxy request sent, awaiting response... 200 OK
Length: 375,014 [text/plain]
0K ..... 100% 7.95 MB/s
02:53:55 (7.95 MB/s) - `/var/opt/csw/pkgutil/catalog.i386.5.8.0' saved [375014/375014]
Checking catalog integrity with gpg.
gpg: Signature made Thu Jan 22 21:09:32 2009 GMT using DSA key ID A1999E90
gpg: Good signature from "Blastwave Software (Blastwave.org Inc.) <software@blastwave.org>"
Step 5: Before you proceed...
What I have to say here will be âMotherhoodâ statements at best. Really just a bit of advice if you are making the leap from Linux and wonder where to set the PATH for your users and things like that.
Firstly we need to talk about the root user.
Don't mess with the root user account!
That was less than clear so I guess I had better elaborate.
It seems to be common practice to change the root users default shell.
Don't do that unless you have Solaris 10
What I do recommend is that you change the root users home directory location to /root and nothing more fancy than that. You can edit the /etc/passwd file and change the entry for the root user thus:
/etc/passwd
...
root:x:0:1:Super-User:/root:/sbin/sh
...
Be very diligent about creating the root users home directory right away and ensure that it is only readable by the root user:
# mkdir /root
# chmod 700 /root
# chown root:root /root
Also, you may be wondering why you should not change the root users default shell to bash. Simply put, any other shell than /sbin/sh will be a dynamically linked executable with dependencies. If you were to check /sbin/sh you would find that it is a standalone program:
$ ldd /sbin/sh
ldd: /sbin/sh: file is not a dynamic executable or shared object
That means that your machine can suffer some horrible disaster and still be able to function in single user mode if you can boot the kernel and get to a running shell with the root user. That is becuase the root user only needs /sbin/sh to have a fully functional shell. If you were to use bash or any other shell then you would need a stack of dependencies. Those dependencies may not exist if they are on some other file system or on a damaged file system.
Solaris 10 is different. Solaris 10 has a default Bourne Shell /sbin/sh that is not statically linked anymore. This was done intentionally when the single/multi threaded process model was unified and the statically linked libc was removed. Solaris 10 commands in /sbin should only link with things in /lib. There are symlinks in /usr/lib to /lib for some libraries for backwards compatibility reasons. In fact, Solaris 10 is so smart that both su and login will fall back to /sbin/sh if the shell you specify in /etc/passwd for root can not be executed for some reason. What I am saying here is that you can change root's shell in Solaris 10 and still sleep well at night.
Next item is the default PATH for the root user and regular users. You can set this in the files /etc/default/login and /etc/default/su. Please feel free to be pedantic and set PATH and SUPATH in both of those files to something useful thus:
PATH=/opt/csw/bin:/usr/sbin:/usr/bin:/usr/dt/bin:/usr/openwin/bin:/usr/ccs/bin
Really you can leave /opt/csw/bin out of there entirely if you want. The software from Blastwave is isolated in /opt/csw and will not interfere with your other software. You can use GNOME from somewhere else if you want. Your users can have there own .profile files that determine that they run JDS if they want.
On the other hand your users may place /opt/csw/bin first in their PATH and then will be running with the desktop software and applications from Blastwave. Again, this will be isolated. Don't be surprised if you have problems switching back and forth from different distributions of GNOME however. There are a lot of configuration files that get created in the users home directory and you can really only depend on them to work consistently when you stay on one edition of KDE or GNOME.
