Manualshelf

HP Secure Development Lifecycle

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 Enterprise OE
12345
2
Introduction
As part of HP’s continued innovation in security we are ensuring that any HP-UX software that we deliver to you
has not been tampered with and contains no malicious code. Now with HP Secure Development Lifecycle HP
enables you to verify the authenticity and integrity of HP-UX software on your host system thus empowering you
to safe guard your environment from malware.
This whitepaper describes how the software delivered by HP for HP-UX customers is digitally signed and the
method to verify the authenticity of the software before the installation.
HP Secure Development Lifecycle
Starting with the HP-UX 11iv3 March 2013 update release, HP provides the ability to authenticate HP-UX software.
All the software delivered post March 2013 through the following media is signed using HP’s private key:
Operating Environment (OE) media
AR media
Software from http://software.hp.com (new or updated)
Patches from http://www.hp.com/go/hpsc or QPKs
For more information, see the Software Distributor documentation at http://www.hp.com/go/sd-docs and the
Ignite-UX documentation at http://www.hp.com/go/ignite-ux-docs.
Note: ‘HP Secure Development Lifecycle’ functionality of verifying the signatures is available with HP-UX 11iv3
update release 1303 or later, only on Integrity platform.
Defining the Concepts
HP-UX Code Signing
HP-UX Code Signing is a cryptographic method to create a unique digital ‘signature’ for a given HP-UX software
package (depot) using HP Private Key. The signature of the software package (depot) can be verified and validated
using HP Public Key before its installation. The successful verification indicates the following:
1. HP holding the Private Key, did sign the software package in question (authenticity)
2. HP-UX software package has not been altered since it was originally signed (integrity)
HP Private Key
HP Private Key is the private key of HP’s key-pair according to Public Key Infrastructure (PKI). HP Private Key is
stored privately with HP and used for signing the software packages. The software packages that are signed by HP
Private Key can be verified only using the HP Public Key.
HP Public Key
HP Public Key is a corresponding public key to the HP Private Key according to PKI. HP Public Key can be used for
verification of the signatures created by HP Private Key. Thus HP Public Key is required for verifying the authenticity
of the software delivered on HP-UX. HP Public Key is shipped along with the software and with the SW-DIST product.
By default, HP Public Key is shipped in the depot- “<depot_directory>/catalog/dfiles/_PUBLIC_KEY”. If the public key
is not available in the depot, the public key shipped with SW-DIST product at location
/usr/lib/sw/swsign/hp_public_key.pem” is used by SW-DIST during verification. HP Public Key is also available for
download from “HP Secure Development Lifecycle” page at http://software.hp.com