Contact Us Contact Us

HPE Secure Development Lifecycle

  Software Depot
Electronic download
Frequently asked questions
Product details and specifications
Overview

HPE Secure Development Lifecycle enables you to verify the authenticity and integrity of HP-UX software you received.This page describes how the software delivered by HPE for HP-UX customers is digitally signed using its private key and the method to verify the authenticity and integrity of the software before the installation.

 

HPE Public Key

HPE Public Key must be used for the verification of the signatures created by HPE Private Key. There is a public key that is shipped along with the software packages and the SW-DIST product which is used by default for the verification.

In case, the public key installed on the system or available in the downloaded software is expired or revoked, HPE latest public key can be downloaded as follows.

Copy and paste the original HPE public key in the grey box below into a new file named hppublickey.pem and then install it on your system. To correctly copy the key, highlight all text below, including "-----BEGIN PUBLIC KEY -----" and "-----END PUBLIC KEY -----". You can then use this public key to verify the integrity and authenticity of the software delivered for HP-UX.

 

 

 

All public key versions needs to be maintained as there could be some software on http://software.hpe.com which was signed using one of the older HPE private keys.

 

Features and Benefits

 

Signed HP-UX packages

 

Every software that is part of the HP-UX 11iv3 March 2013 (update) release, software, and patches released through HPESC post March 2013 is digitally signed by HPE.

 

Verification of HP-UX Software

 

The software packages shipped by HPE on HP-UX are either in the form of a directory (directory depots) and files (tape depot). The following describes the verification of the same.

 

Verifying a Signed Directory Depot

 

In order to verify signatures as well as legacy functionalities for a directory depot that is available in the location �/depots/sample.depot/�, �-x verify_signatures=true� option should be used with swverify command.

 

swverify -d -x verify_signatures=true \* @ /depots/sample.depot/

 

In order to verify only the signatures in a signed directory depot that is available in the location �/depots/sample.depot/�, �-x verify_signatures_only=true� option should be used.

 

swverify -d -x verify_signatures_only=true \* @ /depots/sample.depot/

 

Verifying a signed tape depot

 

Typically HP-UX software downloaded  and patches downloaded from patch hub will be in the form tape depots (file). swsign command should be used to verify the authenticity and integrity of such software ( tape depots).

 

In order to verify a tape depot located at �/depots/sample.depot�.

swsign �v �s /depots/sample.depot

 

Specifying Public Key

 

In order to specify your own public key path instead of the default, use �-x public_key=/path/to/public/key� option.

 

swverify -d -x verify_signatures_only=true -x public_key=/path/to/public/key \* @ /depots/sample.depot/

 

Software Dependencies

 

SW-DIST and HP-UX Whitelisting, the required software for verifying any HP-UX software is available for download or as a part of the HP-UX 11iv3 update 1303. This functionality is supported only with the versions of SW-DIST B.11.31.1303 or newer, and HP-UX Whitelisting B.01.01.07 or newer.

 

For more details on HPE Secure Development Lifecycle see the technical whitepaper Authenticity and Integrity Verification of HP-UX Software Packages.

 
Additional product information
Product #: HPSecureDevelopmentLifecycle
Version: 1.0
Software specification: