wlisign.1 (2011 03)
wlisign(1)
Optional WLI Product Required
wlisign(1)
NAME
wlisign - manage signatures for executable binaries.
SYNOPSIS
wlisign {-a|-d} -k keyfile [
-p src:val][-g prodid][-o capability,...] execfile
wlisign -l [-c pubkey] execfile
wlisign -v [-g prodid][
-c pubkey] execfile
wlisign -h
DESCRIPTION
wlisign will create, update, delete and verify the WLI signature for execfile, a binary executable file. A
WLI signature implies that execfile is an authorized application. This permits execfile to be granted
access to the file identified by an IBAC policy.
A cryptographic hash, generated as part of the signing operation, uniquely identifies execfile as a system-
wide authorized application. For more information on WLI
file access policies and signatures,
see wli (5). For more information on generating and managing file access policies, see wlipolicy (1).
A signature also enables WLI capabilities to be granted to execfile. For more information on WLI capa-
bilities , see wli (5). A WLI metadata section is added to execfile to hold the signature, ID of the signer,
fingerprint of pubkey , and optional information such as capabilities and product ID. One or more capa-
bilities can be added to the execfile signature metadata during or after its creation.
Since the size of execfile increases with the addition of signature metadata, swverify (1M) will return an
error on validation of execfile. To update the SD-UX database with the size of a modified command so
that
swverify will succeed, swmodify (1M) should be used. It is the responsibility of the user to correct
any negative effects from size changes from signing binaries. HP-UX commands are not aware of binary
size changes.
A product ID (
-g prodid) is a string chosen by the signer to represent a group of authorized applications.
If a product ID is specified when adding or updating with wlisign, it is stored in the signature meta-
data section. The same product ID can be assigned to many executable signatures, thus allowing an
IBAC policy to establish a one-to-many relationship between a file and the authorized executables allowed
access.
If deletion (
-d option) is specified, the entire WLI signature section of execfile is removed. A successful
delete operation changes the size of execfile; therefore, requiring
swmodify to correct the size referenced
by swverify. This is necessary to prevent swverify from failing.
Verification with
wlisign (-v option) proceeds by retrieving the public key from the WLI database.
See wlicert (1M) for details on authorizing public keys. If the public key is not in the WLI database, the
user must specify the public key location with the -c option. Verification is a two step process. Integrity
of the signature metadata is verified, and then the executable is verified using the signature in metadata
and the public key.
WLI signatures are computed by taking a cryptographic hash of critical binary sections and encrypting
the resultant digest with the specified private key, in accordance with the RSA standard.
The
wlisign command is installed with the optional HP-UX Whitelisting (WLI) product.
Options
Below are the supported options.
-a Adds or updates WLI signature metadata for execfile. The signature metadata
may be updated with capabilities or a product ID as part of its creation or at a
later time. If the signature is being created, pubkey is required to generate the
public key fingerprint stored in signature metadata.
-c pubkey File containing the public key extracted from privkey with rsa (1). A fingerprint
of this file is stored in signature metadata.
-d Deletes the signature from execfile .
-g prodid prodid is the "product ID", a string of the user’s choosing that can be added to
one or more signed executables. A group of executables can then be given access
to an IBAC-protected file through prodid .
HP-UX 11iv3: Sep 2010 Web Release − 1 − Hewlett-Packard Company 1