This chapter describes how to create optional information files and installation scripts for a package. While Chapter 2, Building a Package discussed the minimum requirements for making a package, this chapter discusses additional functionality that you can build into a package. This additional functionality is based on the criteria you considered when planning how to design your package. For more information, see Considerations Before Building a Package.This is a list of the overview information in this chapter.Creating Information Files and Installation Scripts (Task Map) Creating Information Files Creating Installation Scripts Creating Signed Packages The following task map describes the optional features you can build into a package.Task Description For Instructions 1. Create information files Define package dependenciesA definition of package dependencies allows you to specify whether your package is compatible with previous versions, dependent on other packages, or whether other packages are dependent on yours. How to Define Package Dependencies Write a copyright messageA copyright file provides legal protection for your software application. How to Write a Copyright Message Reserve additional space on the target system.A space file sets aside blocks on the target system, which enables you to create files during installation that are not defined in the pkgmap file. How to Reserve Additional Space on a Target System 2. Create installation scripts Obtain information from the installerA request script enables you to obtain information from the person installing your package. How to Write a request Script Gather file system data needed for installationA checkinstall script enables you to perform an analysis of the target system and set up the correct environment for, or cleanly halt, the installation. How to Gather File System Data Write procedure scriptsProcedure scripts enable you to provide customized installation instructions during specific phases of the installation or removal process. How to Write Procedure Scripts Write class action scriptsClass action scripts enable you to specify a set of instructions to be executed during package installation and removal on specific groups of package objects. How to Write Class Action Scripts This section discusses optional package information files. With these files you can define package dependencies, provide a copyright message, and reserve additional space on a target system.You need to determine whether your package has dependencies on other packages and if any other packages depend on yours. Package dependencies and incompatibilities can be defined with two of the optional package information files, compver and depend.Delivering a compver file lets you name previous versions of your package that are compatible with the package being installed.packagedefining dependenciescompver filedescriptiondepend filedescriptionDelivering a depend file lets you define three types of dependencies associated with your package. These dependency types are as follows:prerequisite packageA prerequisite package – Your package depends on the existence of another package reverse dependencyA reverse dependency – Another package depends on the existence of your package Use the reverse dependency type only when a package that cannot deliver a depend file relies on your package. incompatible packageAn incompatible package – Your package is incompatible with the named package request scriptdependency checkingcheckinstall scriptdependency checkingThe depend file resolves only very basic dependencies. If your package depends upon a specific file, its contents, or its behavior, the depend file does not supply adequate precision. In this case, a request script or the checkinstall script should be used for detailed dependency checking. The checkinstall script is also the only script capable of cleanly halting the package installation process.Be certain that your depend and compver files have entries in the prototype file. The file type should be i (for package information file). Refer to the depend4 and compver4 man pages for more information. package dependencieshow to definecompver filehow to writedepend filehow to writeMake the directory that contains your information files the current working directory. If previous versions of your package exist and you need to specify that your new package is compatible with them, create a file named compver with your favorite text editor.List the versions with which your package is compatible. Use this format:string string . . .The value of string is identical to the value assigned to the VERSION parameter in the pkginfo file, for each compatible package. Save your changes and quit the editor. If your package depends on the existence of other packages, other packages depend on the existence of your package, or your package is incompatible with another package, create a file named depend with your favorite text editor.Add an entry for each dependency. Use this format:type pkg-abbrev pkg-name (arch) version (arch) version . . .typeDefines the dependency type. Must be one of the following characters: P (prerequisite package), I (incompatible package), or R (reverse dependency). pkg-abbrevSpecifies the package abbreviation, such as SUNWcadap. pkg-nameSpecifies the full package name, such as Chip designers need CAD application software to design abc chips. Runs only on xyz hardware and is installed in the usr partition. (arch)Optional. Specifies the type of hardware on which the package runs. For example, sparc or x86. If you specify an architecture, you must use the parentheses as delimiters. versionOptional. Specifies the value assigned to the VERSION parameter in the pkginfo file. For more information, see depend4. Save your changes and quit the editor. Complete one of the following tasks:If you want to create additional information files and installation scripts, skip to the next task, How to Write a Copyright Message. If you have not created your prototype file, complete the procedure How to Create a prototype File by Using the pkgproto Command. Skip to Step 7. If you have already created your prototype file, edit it and add an entry for each file you just created. Build your package.See How to Build a Package, if needed. compver fileexampleIn this example, there are four versions of a package: 1.0, 1.1, 2.0, and the new package, 3.0. The new package is compatible with all the three previous versions. The compver file for the newest version might look like the following:release 3.0 release 2.0 version 1.1 1.0The entries do not have to be in sequential order. However, they should exactly match the definition of the VERSION parameter in each package's pkginfo file. In this example, the package designers used different formats in the first three versions. depend fileexampleThis example assumes that the sample package, SUNWcadap, requires that the SUNWcsr and SUNWcsu packages already be installed on a target system. The depend file for SUNWcadap looks like the following:P SUNWcsr Core Solaris, (Root) P SUNWcsu Core Solaris, (Usr) After you build the package, install it to confirm that it installs correctly and verify its integrity. Chapter 4, Verifying and Transferring a Package explains these tasks and provides step-by-step instructions on how to transfer your verified package to a distribution medium. copyright filewriting aYou need to decide whether your package should display a copyright message while it is being installed. If so, create the copyright file. You should include a copyright file to provide legal protection for your software application. Check with the legal department of your company for the exact wording of the message. To deliver a copyright message, you must create a file named copyright. During installation, the message is displayed exactly as it appears in the file (with no formatting). See the copyright4 man page for more information. Be certain that your copyright file has an entry in the prototype file. The file type should be i (for package information file). copyright filehow to writeMake the directory that contains your information files the current working directory. Create a file named copyright with your favorite text editor.Type the text of the copyright message exactly as you want it to appear as your package is installed. Save your changes and quit the editor. Complete one of the following tasks.If you want to create additional information files and installation scripts, skip to the next task, How to Reserve Additional Space on a Target System. If you have not created your prototype file, complete the procedure How to Create a prototype File by Using the pkgproto Command. Skip to Step 5. If you have already created your prototype file, edit it and add an entry for the information file you just created. Build your package.See How to Build a Package, if needed. copyright fileexampleFor example, a partial copyright message might look like the following:Copyright (c) 2003 Company Name All Rights Reserved This product is protected by copyright and distributed under licenses restricting copying, distribution, and decompilation. After you build the package, install it to confirm that it installs correctly and verify its integrity. Chapter 4, Verifying and Transferring a Package explains these tasks and provides step-by-step instructions on how to transfer your verified package to a distribution medium. reserving additional space on a target systemspace fileYou need to determine whether your package needs additional disk space on the target system. This space is in addition to the space required by the package objects. If so, create the space information file. This task is different than creating empty files and directories at installation time, as discussed in Defining Additional Objects to Be Created at Install Time.pkgadd commandand disk spacepkgmap filereserving additional space on a target systemThe pkgadd command ensures that there is enough disk space to install your package based on the object definitions in the pkgmap file. However, a package may require additional disk space beyond that needed by the objects defined in the pkgmap file. For example, your package might create a file after installation, which may contain a database, log files, or some other growing file that consumes disk space. To be sure that there is space reserved for it, you should include a space file that specifies the disk space requirements. The pkgadd command checks for the additional space specified in a space file. Refer to the space4 man page for more information. Be certain that your space file has an entry in the prototype file. The file type should be i (for package information file). space filehow to create aMake the directory that contains your information files the current working directory. Create a file named space with your favorite text editor.Specify any additional disk space requirements needed by your package. Use this format:pathname blocks inodespathnameSpecifies a directory name, which may or may not be the mount point for a file system. blocksSpecifies the number of 512-byte blocks that you want reserved. inodesSpecifies the number of required inodes. For more information, see the space4 man page. Save your changes and quit the editor. Complete one of the following tasks.If you want to create installation scripts, skip to the next task, How to Write a request Script. If you have not created your prototype file, complete the procedure in How to Create a prototype File by Using the pkgproto Command. Skip to Step 5. If you have already created your prototype file, edit it and add an entry for the information file you just created. Build your package.See How to Build a Package, if needed. space fileexampleThis example space file specifies that 1000 512-byte blocks and 1 inode be reserved in the /opt directory on the target system./opt 1000 1 After you build the package, install it to confirm that it installs correctly and verify its integrity. Chapter 4, Verifying and Transferring a Package explains these tasks and provides step-by-step instructions on how to transfer your verified package to a distribution medium. installation scriptscreatinginstallation scriptsrequirements forpkgadd commandand installation scriptsThis section discusses optional package installation scripts. The pkgadd command automatically performs all the actions necessary to install a package using the package information files as input. You do not have to supply any package installation scripts. However, if you want to create customized installation procedures for your package, you can do so with installation scripts. Installation scripts: Must be executable by the Bourne shell (sh) Must contain Bourne shell commands and text Do not need to contain the #!/bin/sh shell identifier Need not be an executable file There are four types of installation scripts with which you can perform customized actions:request scriptcreating installation scriptsscriptsinstallation scriptsinstallation scriptstypes ofThe request script The request script solicits data from the administrator who is installing a package for assigning or redefining environment variables. checkinstall scriptcreating installation scriptsThe checkinstall scriptThe checkinstall script examines the target system for needed data, can set or modify package environment variables, and determines whether the installation proceeds. The checkinstall script is available starting with the Solaris 2.5 and compatible releases. procedure scriptsProcedure scripts procedure scriptspredefined names ofProcedure scripts identify a procedure to be invoked before or after the installation or removal of a package. The four procedure scripts are preinstall, postinstall, preremove, and postremove. class action scriptcreating installation scriptsClass action scripts object classessystemClass action scripts define an action or set of actions that should be applied to a class of files during installation or removal. You can define your own classes. Alternatively, you can use one of the four standard classes (sed, awk, build, and preserve). pkgadd commandand script processinginstallation scriptsprocessing ofThe type of scripts you use depends on when the action of the script is needed during the installation process. As a package is installed, the pkgadd command performs the following steps:Executes the request scriptrequest scriptand script processingThis step is the only point at which your package can solicit input from the administrator who is installing the package. Executes the checkinstall scriptcheckinstall scriptThe checkinstall script gathers file system data and can create or alter environment variable definitions to control the subsequent installation. For more information on package environment variables, see Package Environment Variables. preinstall scriptExecutes the preinstall script Installs package objects, for each class to be installedobject classesinstallingInstallation of these files occurs class by class, and class action scripts are executed accordingly. The list of classes operated on and the order in which they should be installed is initially defined with the CLASSES parameter in your pkginfo file. However, your request script or checkinstall script can change the value of the CLASSES parameter. For more information on how classes are processed during installation, see How Classes Are Processed During Package Installation.Creates symbolic links, devices, named pipes, and required directories Installs the regular files (file types e, v, f), based on their classpkgmap filescript processing during package installationThe class action script is passed only regular files to install. All other package objects are created automatically from information in the pkgmap file. Creates all hard links postinstall scriptsript processing during package installationExecutes the postinstall script pkgrm commandand script processingWhen a package is being removed, the pkgrm command performs these steps: preremove scriptExecutes the preremove script Removes the package objects, for each classobject classesremovingclass action scriptRemoval also occurs class by class. Removal scripts are processed in the reverse order of installation, based on the sequence defined in the CLASSES parameter. For more information on how classes are processed during installation, see How Classes Are Processed During Package Installation.Removes hard links Removes regular files Removes symbolic links, devices, and named pipes postremove scriptExecutes the postremove script request scriptand package removalThe request script is not processed at the time of package removal. However, the script's output is retained in the installed package and made available to removal scripts. The request script's output is a list of environment variables. installation environment variablesto determine Solaris versionOS version environment variablesrequest scriptand environment variablescheckinstall scriptand environment variablesinstallation environment variablesinstallation scriptsand environment variablesThe following groups of environment variables are available to all installation scripts. Some of the environment variables can be modified by a request script or a checkinstall script. The request script or the checkinstall script can set or modify any of the standard parameters in the pkginfo file, except for the required parameters. The standard installation parameters are described in detail in the pkginfo4 man page.The BASEDIR parameter can only be modified starting with the Solaris 2.5 release and compatible releases. You can define your own installation environment variables by assigning values to them in the pkginfo file. Such environment variables must be alphanumeric with initial capital letters. Any of these environment variables can be changed by a request script or a checkinstall script. Both a request script and a checkinstall script can define new environment variables by assigning values to them and putting them in the installation environment. The following table lists environment variables that are available to all installation scripts through the environment. None of these environment variables can be modified by a script. Environment Variable Description CLIENT_BASEDIR The base directory with respect to the target system. While BASEDIR is the variable to use if you are referring to a specific package object from the install system (most likely a server), CLIENT_BASEDIR is the path to include in files placed on the client system. CLIENT_BASEDIR exists if BASEDIR exists and is identical to BASEDIR if there is no PKG_INSTALL_ROOT. INST_DATADIR The directory where the package now being read is located. If the package is being read from a tape, this variable will be the location of a temporary directory where the package has been transferred into directory format. In other words, assuming there is no extension to the package name (for example, SUNWstuff.d), the request script for the current package would be found at $INST_DATADIR/$PKG/install. PATH The search list used by sh to find commands on script invocation. PATH is usually set to /sbin:/usr/sbin:/usr/bin:/usr/sadm/install/bin. PKGINST The instance identifier of the package being installed. If another instance of the package is not already installed, the value is the package abbreviation (for example, SUNWcadap). Otherwise, the value is the package abbreviation followed by a suffix, such as SUNWcadap.4. PKGSAV The directory where files can be saved for use by removal scripts or where previously saved files can be found. Available only in the Solaris 2.5 release and compatible releases. PKG_CLIENT_OS The operating system of the client where the package is being installed. The value of this variable is Solaris. PKG_CLIENT_VERSION The Solaris version in x.y format. PKG_CLIENT_REVISION The Solaris build revision. PKG_INSTALL_ROOT The root file system on the target system where the package is being installed. This variable exists only if the pkgadd and pkgrm commands were invoked with the R option. This conditional existence facilitates its use in procedure scripts in the form ${PKG_INSTALL_ROOT}/somepath. PKG_NO_UNIFIED An environment variable that gets set if the pkgadd and pkgrm commands were invoked with the M and R options. This environment variable is passed to any package installation script or package command that is part of the package environment. UPDATE This environment variable does not exist under most installation environments. If this variable does exist (with the value yes), it means one of two things. Either a package with the same name, version, and architecture is already installed on the system. Or this package is overwriting an installed package of the same name at the direction of the administrator. In these events, the original base directory is always used. installation scriptsobtaining package informationTwo commands can be used from scripts to solicit information about a package: pkginfo commandobtaining package informationThe pkginfo command returns information about software packages, such as the instance identifier and package name. pkgparam commandThe pkgparam command returns values for requested environment variables. See the pkginfo1 man page, the pkgparam1 man page, and Chapter 4, Verifying and Transferring a Package for more information. installation scriptsexit codesexit codes for scriptsEach script must exit with one of the exit codes shown in the following table.Code Meaning 0 Successful completion of script. 1 Fatal error. Installation process is terminated at this point. 2 Warning or possible error condition. Installation continues. A warning message is displayed at the time of completion. 3 The pkgadd command is cleanly halted. Only the checkinstall script returns this code. 10 System should be rebooted when installation of all selected packages is completed. (This value should be added to one of the single-digit exit codes.) 20 System should be rebooted immediately upon completing installation of the current package. (This value should be added to one of the single-digit exit codes.) See Chapter 5, Case Studies of Package Creation for examples of exit codes that are returned by installation scripts.All installation scripts delivered with your package should have an entry in the prototype file. The file type should be i (for package installation script). request scriptwriting aThe request script is the only way your package can interact directly with the administrator who is installing it. This script can be used, for example, to ask the administrator if optional pieces of a package should be installed.The output of a request script must be a list of environment variables and their values. This list can include any of the parameters that you created in the pkginfo file, and the CLASSES and BASEDIR parameters. The list can also introduce environment variables that have not been defined elsewhere. However, the pkginfo file should always provide default values when practical. For more information on package environment variables, see Package Environment Variables.pkgadd commandand request scriptsWhen your request script assigns values to an environment variable, it must then make those values available to the pkgadd command and other package scripts. request scriptbehaviorsThe request script cannot modify any files. This script only interacts with administrators who are installing the package and creates a list of environment variable assignments based upon that interaction. The request script runs as the non privileged user install if that user exists. Otherwise, the script is executed as root. The pkgadd command calls the request script with one argument that names the script's response file. The response file stores the administrator's responses. The request script is not executed during package removal. However, the environment variables assigned by the script are saved and are available during package removal. request scriptdesign rulesThere can be only one request script per package. The script must be named request. The environment variable assignments should be added to the installation environment for use by the pkgadd command and other packaging scripts by writing them to the response file (known to the script as $1). System environment variables and standard installation environment variables, except for the CLASSES and BASEDIR parameters, cannot be modified by a request script. Any of the other environment variables that you created can be changed. A request script can only modify the BASEDIR parameter starting with the Solaris 2.5 and compatible releases. Every environment variable that the request script may manipulate should be assigned a default value in the pkginfo file. The format of the output list should be PARAM=value. For example: CLASSES=none class1 The administrator's terminal is defined as standard input to the request script. Do not perform any special analysis of the target system in a request script. It is risky to test the system for the presence of certain binaries or behaviors, and to set environment variables based upon that analysis. There is no guarantee that the request script will actually be executed at install time. The administrator who is installing the package may provide a response file that will insert the environment variables without ever calling the request script. If the request script is also evaluating the target file system, that evaluation may not happen. An analysis of the target system for special treatment is best left to the checkinstall script. pkgask commandpkgask commandIf the administrators who will be installing your package might use the JumpStart product, then the installation of your package must not be interactive. Either you should not provide a request script with your package, or you need to communicate to the administrators that they should use the pkgask command prior to installation. The pkgask command stores their responses to the request script. For more information on the pkgask command, see the pkgask1M man page. request scripthow to write aMake the directory that contains your information files the current working directory. Create a file named request with your favorite text editor. Save your changes and quit the editor when you are done. Complete one of the following tasks.If you want to create additional installation scripts, skip to the next task, How to Gather File System Data. If you have not created your prototype file, complete the procedure How to Create a prototype File by Using the pkgproto Command. Skip to Step 5. If you have already created your prototype file, edit it and add an entry for the installation script you just created. Build your package.See How to Build a Package, if needed. request scriptexampleWhen a request script assigns values to environment variables, it must make those values available to the pkgadd command. This example shows a request script segment that performs this task for the four environment variables: CLASSES, NCMPBIN, EMACS, and NCMPMAN. Assume that these variables were defined in an interactive session with the administrator earlier in the script.# make environment variables available to installation # service and any other packaging script we might have cat >$1 <<! CLASSES=$CLASSES NCMPBIN=$NCMPBIN EMACS=$EMACS NCMPMAN=$NCMPMAN ! After you build the package, install it to confirm that it installs correctly and verify its integrity. Chapter 4, Verifying and Transferring a Package explains these tasks and provides step-by-step instructions on how to transfer your verified package to a distribution medium. checkinstall scriptwriting aThe checkinstall script is executed shortly after the optional request script. The checkinstall script runs as the user install, if such a user exists, or as the user nobody. The checkinstall script does not have the authority to change file system data. However, based on the information the script gathers, it can create or modify environment variables in order to control the course of the resulting installation. The script is also capable of cleanly halting the installation process.The checkinstall script is intended to perform basic checks on a file system that would not be normal for the pkgadd command. For example, this script can be used to check ahead to determine if any files from the current package are going to overwrite existing files, or manage general software dependencies. The depend file only manages package-level dependencies.Unlike the request script, the checkinstall script is executed whether or not a response file is provided. The script's presence does not brand the package as interactive. The checkinstall script can be used in situations where a request script is forbidden or administrative interaction is not practical.The checkinstall script is available starting with the Solaris 2.5 and compatible releases. request scriptbehaviorsThe checkinstall script cannot modify any files. This script only analyzes the state of the system and creates a list of environment variable assignments based upon that interaction. To enforce this restriction, the checkinstall script is executed as the non privileged user install if that user exists. Otherwise, this script is executed as the non privileged user nobody. The checkinstall script does not have superuser authority. The pkgadd command calls the checkinstall script with one argument that names the script's response file. The script's response file is the file that stores the administrator's responses. The checkinstall script is not executed during package removal. However, the environment variables assigned by the script are saved and are available during package removal. checkinstall scriptdesign rulesThere can be only one checkinstall script per package. The script must be named checkinstall. The environment variable assignments should be added to the installation environment for use by the pkgadd command and other packaging scripts by writing them to the response file (known to the script as $1). System environment variables and standard installation environment variables, except for the CLASSES and BASEDIR parameters, cannot be modified by a checkinstall script. Any of the other environment variables that you created can be changed. Every environment variable that the checkinstall script may manipulate should be assigned a default value in the pkginfo file. The format of the output list should be PARAM=value. For example: CLASSES=none class1 Administrator interaction is not permitted during execution of a checkinstall script. All administrator interaction is restricted to the request script. checkinstall scripthow to write aMake the directory that contains your information files the current working directory. Create a file named checkinstall with your favorite text editor. Save your changes and quit the editor when you are done. Complete one of the following tasks.If you want to create additional installation scripts, skip to the next task, How to Write Procedure Scripts. If you have not created your prototype file, complete the procedure How to Create a prototype File by Using the pkgproto Command. Skip to Step 5. If you have already created your prototype file, edit it and add an entry for the installation script you just created. Build your package.See How to Build a Package, if needed. request scriptexampleThis example checkinstall script checks to see if database software needed by the SUNWcadap package is installed.# checkinstall script for SUNWcadap # # This confirms the existence of the required specU database # First find which database package has been installed. pkginfo -q SUNWspcdA # try the older one if [ $? -ne 0 ]; then pkginfo -q SUNWspcdB # now the latest if [ $? -ne 0 ]; then # oops echo "No database package can be found. Please install the" echo "SpecU database package and try this installation again." exit 3 # Suspend else DBBASE="`pkgparam SUNWsbcdB BASEDIR`/db" # new DB software fi else DBBASE="`pkgparam SUNWspcdA BASEDIR`/db" # old DB software fi # Now look for the database file we will need for this installation if [ $DBBASE/specUlatte ]; then exit 0 # all OK else echo "No database file can be found. Please create the database" echo "using your installed specU software and try this" echo "installation again." exit 3 # Suspend fi After you build the package, install it to confirm that it installs correctly and verify its integrity. Chapter 4, Verifying and Transferring a Package explains these tasks and provides step-by-step instructions on how to transfer your verified package to a distribution medium. procedure scriptswritingThe procedure scripts provide a set of instructions to be performed at particular points in package installation or removal. The four procedure scripts must be named one of the predefined names, depending on when the instructions are to be executed. The scripts are executed without arguments.procedure scriptspredefined names ofpreinstall scriptThe preinstall script Runs before class installation begins. No files should be installed by this script. postinstall scriptprocedure scriptsThe postinstall script Runs after all volumes have been installed. preremove scriptThe preremove script Runs before class removal begins. No files should be removed by this script. postremove scriptThe postremove script Runs after all classes have been removed. procedure scriptsbehaviorsProcedure scripts are executed as uid=root and gid=other. procedure scriptsdesign rulesEach script should be able to be executed more than once because it is executed once for each volume in a package. This means that executing a script any number of times with the same input produces the same results as executing the script only once. pkgmap fileprocedure script design rulesinstallf commandpostinstall scriptinstalling package objectspostremove scriptremoving package objectsEach procedure script that installs a package object not in the pkgmap file must use the installf command to notify the package database that it is adding or modifying a path name. After all additions or modifications are complete, this command should be invoked with the f option. Only the postinstall and postremove scripts may install package objects in this way. See the installf1M man page and Chapter 5, Case Studies of Package Creation for more information. Administrator interaction is not permitted during execution of a procedure script. All administrator interaction is restricted to the request script. removef commandEach procedure script that removes files not installed from the pkgmap file must use the removef command to notify the package database that it is removing a path name. After removal is complete, this command should be invoked with the f option. See the removef1M man page and Chapter 5, Case Studies of Package Creation for details and examples.The installf and removef commands must be used because procedure scripts are not automatically associated with any path names listed in the pkgmap file. procedure scriptshow to writeMake the directory that contains your information files the current working directory. Create one or more procedure scripts with your favorite text editor.A procedure script must be named one of the predefined names: preinstall, postinstall, preremove, or postremove. Save your changes and quit the editor. Complete one of the following tasks.If you want to create class action scripts, skip to the next task, How to Write Class Action Scripts. If you have not created your prototype file, complete the procedure How to Create a prototype File by Using the pkgproto Command. Skip to Step 5. If you have already created your prototype file, edit it and add an entry for each installation script you just created. Build your package.See How to Build a Package, if needed. After you build the package, install it to confirm that it installs correctly and verify its integrity. Chapter 4, Verifying and Transferring a Package explains these tasks and provides step-by-step instructions on how to transfer your verified package to a distribution medium. object classespackageobjectclassespackageobjectclassesobject classesObject classes allow a series of actions to be performed on a group of package objects at installation or removal. You assign objects to a class in the prototype file. All package objects must be given a class, although the class of none is used by default for objects that require no special action. The installation parameter CLASSES, defined in the pkginfo file, is a list of classes to be installed (including the none class). pkgmap filedefining object classesObjects defined in the pkgmap file that belong to a class not listed in this parameter in the pkginfo file will not be installed. The CLASSES list determines the order of installation. Class none is always installed first, if present, and removed last. Since directories are the fundamental support structure for all other file system objects, they should all be assigned to the none class. Exceptions can be made, but as a general rule, the none class is safest. This strategy ensures that the directories are created before the objects they will contain. In addition, no attempt is made to delete a directory before it has been emptied. installing classesobject classesinstallingclassesobject classesThe following describes the system actions that occur when a class is installed. The actions are repeated once for each volume of a package, as that volume is being installed. pkgadd commandand class installationpkgadd commandThe pkgadd command creates a path name list. The pkgadd command creates a list of path names upon which the action script operates. Each line of this list contains source and destination path names, separated by a space. The source path name indicates where the object to be installed resides on the installation volume. The destination path name indicates the location on the target system where the object should be installed. The contents of the list are restricted by the following criteria: The list contains only path names that belong to the associated class. pkgmap fileclass processing during installationIf the attempt to create the package object fails, then directories, named pipes, character devices, block devices, and symbolic links are included in the list with the source path name set to /dev/null. Normally, these items are automatically created by the pkgadd command (if not already in existence) and given proper attributes (mode, owner, group) as defined in the pkgmap file. Linked files where the file type is l are not included in the list under any circumstances. Hard links in the given class are created in item 4. If no class action script is provided for installation of a particular class, the path names in the generated list are copied from the volume to the appropriate target location. A class action script is executed if one exists. The class action script is invoked with standard input that contains the list generated in item 1. If this volume is the last volume of the package, or no more objects exist in this class, the script is executed with the single argument of ENDOFCLASS.Even if no regular files of this class exist in the package, the class action script is called at least once with an empty list and the ENDOFCLASS argument. The pkgadd command performs a content and attribute audit, and creates hard links. After successfully executing items 2 or 3, the pkgadd command audits both content and attribute information for the list of path names. The pkgadd command creates the links associated with the class automatically. Detected attribute inconsistencies are corrected for all path names in the generated list. installf commandremoving classesobject classesremovingpkgrm commandand class removalObjects are removed class by class. Classes that exist for a package but are not listed in the CLASSES parameter are removed first (for example, an object installed with the installf command). Classes listed in the CLASSES parameter are removed in reverse order. The none class is always removed last. The following describes the system actions that occur when a class is removed: The pkgrm command creates a path name list. The pkgrm command creates a list of installed path names that belong to the indicated class. Path names referenced by another package are excluded from the list unless their file type is e. A file type of e means the file should be edited upon installation or removal. If the package being removed had modified any files of type e during installation, it should remove just the lines it added. Do not delete a non-empty editable file. Remove the lines that the package added. If no class action script exists, the path names are deleted. If your package has no removal class action script for the class, all the path names in the list generated by the pkgrm command are deleted. Files with a file type of e (editable) are not assigned to a class and an associated class action script. These files are removed at this point, even if the path name is shared with other packages. If a class action script exists, the script is executed. The pkgrm command invokes the class action script with standard input for the script that contains the list generated in item 1. The pkgrm command performs an audit. After successfully executing the class action script, the pkgrm command removes references to the path names from the package database unless a path name is referenced by another package. class action scriptThe class action script defines a set of actions to be executed during installation or removal of a package. The actions are performed on a group of path names based on their class definition. See Chapter 5, Case Studies of Package Creation for examples of class action scripts. The name of a class action script is based on the class on which it should operate and whether those operations should occur during package installation or package removal. The two name formats are shown in the following table: Name Format Description i.class Operates on path names in the indicated class during package installation r.class Operates on path names in the indicated class during package removal class action scriptnaming conventionsFor example, the name of the installation script for a class named manpage would be i.manpage. The removal script would be named r.manpage.This file name format is not used for files that belong to the sed, awk, or build system classes. For more information on these special classes, see The Special System Classes. class action scriptbehaviorsClass action scripts are executed as uid=root and gid=other. A script is executed for all files in the given class on the current volume. pkgmap fileclass action script behaviorsThe pkgadd and pkgrm commands create a list of all objects listed in the pkgmap file that belong to the class. As a result, a class action script can act only upon path names defined in the pkgmap that belong to a particular class. When a class action script is executed for the last time (that is, no more files belong to that class), the class action script is executed once with the keyword argument ENDOFCLASS. Administrator interaction is not permitted during execution of a class action script. class action scriptdesign rulesIf a package spans more than one volume, the class action script is executed once for each volume that contains at least one file that belongs to a class. Consequently, each script must be able to be executed more than once. This means that executing a script any number of times with the same input must produce the same results as executing the script only once. When a file is part of a class that has a class action script, the script must install the file. The pkgadd command does not install files for which a class action script exists, although it does verify the installation. A class action script should never add, remove, or modify a path name or system attribute that does not appear in the list generated by the pkgadd command. For more information on this list, see item 1 in How Classes Are Processed During Package Installation. When your script sees the ENDOFCLASS argument, put post-processing actions such as clean up into your script. All administrator interaction is restricted to the request script. Do not try to obtain information from the administrator by using a class action script. object classessystemsystem object classesThe system provides four special classes:object classessystemsedThe sed classProvides a method for using sed instructions to edit files upon package installation and removal awk classobject classessystemawkThe awk class Provides a method for using awk instructions to edit files upon package installation and removal build classobject classessystembuildThe build class Provides a method to dynamically construct or modify a file by using Bourne shell commands The preserve classProvides a method to preserve files that should not be overwritten by future package installations If several files in a package require special processing that can be fully defined through sed, awk, or sh commands, installation is faster by using the system classes rather than multiple classes and their corresponding class action scripts.sed classscriptThe sed class provides a method to modify an existing object on the target system. The sed class action script executes automatically at installation if a file that belongs to class sed exists. The name of the sed class action script should be the same as the name of the file on which the instructions are executed.A sed class action script delivers sed instructions in the following format:Two commands indicate when instructions should be executed. The sed instructions that follow the !install command are executed during package installation. The sed instructions that follow the !remove command are executed during package removal. The order in which these commands are used in the file does not matter. For more information on sed instructions, see the sed1 man page. For examples of sed class action scripts, see Chapter 5, Case Studies of Package Creation. awk classscriptThe awk class provides a method to modify an existing object on the target system. Modifications are delivered as awk instructions in an awk class action script. The awk class action script is executed automatically at installation if a file that belongs to class awk exists. Such a file contains instructions for the awk class script in the following format:Two commands indicate when instructions should be executed. The awk instructions that follow the !install command are executed during package installation. The instructions that follow the !remove command are executed during package removal. These commands may be used in any order. The name of the awk class action script should be the same as the name of the file on which the instructions are executed. The file to be modified is used as input to the awk command and the output of the script ultimately replaces the original object. Environment variables may not be passed to the awk command with this syntax. For more information on awk instructions, see the awk1 man page. build classscriptThe build class creates or modifies a package object file by executing Bourne shell instructions. These instructions are delivered as the package object. The instructions run automatically at installation if the package object belongs to the build class. The name of the build class action script should be the same as the name of the file on which the instructions are executed. The name must also be executable by the sh command. The script's output becomes the new version of the file as it is built or modified. If the script produces no output, the file is not created or modified. Therefore, the script can modify or create the file itself.For example, if a package delivers a default file, /etc/randomtable, and if the file does not already exist on the target system, the prototype file entry might be as follows:e build /etc/randomtable ? ? ?The package object, /etc/randomtable, might look like the following:!install # randomtable builder if [ -f $PKG_INSTALL_ROOT/etc/randomtable ]; then echo "/etc/randomtable is already in place."; else echo "# /etc/randomtable" > $PKG_INSTALL_ROOT/etc/randomtable echo "1121554 # first random number" >> $PKG_INSTALL_ROOT/etc/randomtable fi !remove # randomtable deconstructor if [ -f $PKG_INSTALL_ROOT/etc/randomtable ]; then # the file can be removed if it's unchanged if [ egrep "first random number" $PKG_INSTALL_ROOT/etc/randomtable ]; then rm $PKG_INSTALL_ROOT/etc/randomtable; fi fi See Chapter 5, Case Studies of Package Creation for another example using the build class. The preserve class preserves a package object file by determining whether or not an existing file should be overwritten when the package is installed. Two possible scenarios when using a preserve class script are:If the file to be installed does not already exist in the target directory, the file will be installed normally. If the file to be installed exists in the target directory, a message describing that the file exists is displayed, and the file is not installed. Both scenario outcomes are considered successful by the preserve script. A failure occurs only in the second scenario when the file is unable to be copied to the target directory.Starting with the Solaris 7 release, the i.preserve script and a copy of this script, i.CONFIG.prsv, can be found in the /usr/sadm/install/scripts directory with the other class action scripts. Modify the script to include the filename or filenames you would like to preserve. class action scripthow to write aMake the directory that contains your information files the current working directory. Assign the package objects in the prototype file the desired class names.For example, assigning objects to an application and manpage class would look like the following:f manpage /usr/share/man/manl/myappl.1l f application /usr/bin/myappl Modify the CLASSES parameter in the pkginfo file to contain the class names you want to use in your package. For example, entries for the application and manpage classes would look like the following:CLASSES=manpage application noneThe none class is always installed first and removed last, regardless of where it appears in the definition of the CLASSES parameter. If you are a creating a class action script for a file that belongs to the sed, awk, or build class, make the directory that contains the package object your current working directory. Create the class action scripts or package objects (for files that belong to the sed, awk, or build class). For example, an installation script for a class named application would be named i.application and a removal script would be named r.application.Remember, when a file is part of a class that has a class action script, the script must install the file. The pkgadd command does not install files for which a class action script exists, although it does verify the installation. And, if you define a class but do not deliver a class action script, the only action taken for that class is to copy components from the installation medium to the target system (the default pkgadd behavior). Complete one of the following tasks.If you have not created your prototype file, complete the procedure How to Create a prototype File by Using the pkgproto Command, and skip to Step 7. If you have already created your prototype file, edit it and add an entry for each installation script you just created. Build your package.See How to Build a Package, if needed. After you build the package, install it to confirm that it installs correctly and verify its integrity. Chapter 4, Verifying and Transferring a Package explains how to do this and provides step-by-step instructions on how to transfer your verified package to a distribution medium. signed packagesoverview for creatingThe process of creating signed packages involves a number of steps and requires some comprehension of new concepts and terminology. This section provides information about signed packages, its terminology, and information about certificate management. This section also provides step-by-step procedures about how to create a signed package.signed packagedefinition A signed package is a normal stream-format package that has a digital signature (PEM-encoded PKCS7 digital signature which is defined below) that verifies the following:The package came from the entity who signed it The entity indeed signed it The package has not been modified since the entity signed it The entity who signed it is a trusted entity A signed package is identical to an unsigned package, except for the signature. A signed package is binary-compatible with an unsigned package. Therefore, a signed package can be used with older versions of the packaging tools. However, the signature is ignored in this case.The signed packaging technology introduces some new terminology and abbreviations, which are described in the following table.Term Definition ASN.1 public keyASN.1Abstract Syntax Notation 1 - A way of expressing abstract objects. For example, ASN.1 defines a public key certificate, all of the objects that make up the certificate, and the order in which the objects are collected. However, ASN.1 does not specify how the objects are serialized for storage or transmission. X.509 public keyX.509ITU-T Recommendation X.509 - Specifies the widely-adopted X.509 public key certificate syntax. DER Distinguished Encoding Rules - A binary representation of an ASN.1 object and defines how an ASN.1 object is serialized for storage or transmission in computing environments. PEM private keyPEMPrivacy Enhanced Message - A way to encode a file (in DER or another binary format) using base 64 encoding and some optional headers. PEM was initially used for encoding MIME-type email messages. PEM is also used extensively for encoding certificates and private keys into a file that exists on a file system or in an email message. PKCS7 Public Key Cryptography Standard #7 - This standard describes a general syntax for data that may have cryptography applied to it, such as digital signatures and digital envelopes. A signed package contains an embedded PKCS7 signature. This signature contains at a minimum the encrypted digest of the package, along with the signer's X.509 public key certificate. The signed package can also contain chain certificates. Chain certificates can be used when forming a chain of trust from the signer's certificate to a locally-stored trusted certificate. PKCS12 Public Key Cryptography Standard #12 - This standard describes a syntax for storing cryptographic objects on disk. The package keystore is maintained in this format. Package keystore A repository of certificates and keys that can be queried by the package tools. certificatesmanaging trusted certificatedefinition certificatestrusted public keyin trusted certificatesBefore creating a signed package, you must have a package keystore. This package keystore contains certificates in the form of objects. Two types of objects exist in a package keystore:Trusted certificateA trusted certificate contains a single public key certificate that belongs to another entity. The trusted certificate is named as such because the keystore owner trusts that the public key in the certificate indeed belongs to the identity indicated by the “subject” (owner) of the certificate. The issuer of the certificate vouches for this trust by signing the certificate.user key private keyuser key public keyuser keyTrusted certificates are used when verifying signatures and when initiating a connection to a secure (SSL) server. User keyA user key holds sensitive cryptographic key information. This information is stored in a protected format to prevent unauthorized access. A user key consists of both the user's private key and the public key certificate that corresponds to the private key.User keys are used when creating a signed package. By default, the package keystore is stored in the /var/sadm/security directory. Individual users can also have their own keystore stored by default in the $HOME/.pkg/security directory.On disk, a package keystore can be in two formats: a multiple-file format and a single-file format. A multiple-file format stores its objects in multiple files. Each type of object is stored in a separate file. All of these files must be encrypted using the same passphrase. A single-file keystore stores all of its objects in a single file on the file system.pkgadm commandmanaging certificatesThe primary utility used to manage the certificates and the package keystore is the pkgadm command. The following subsections describe the more common tasks used for managing the package keystore.Trusted certificateand adding to the package keystore Trusted certificateeand adding to the package keystore package keystoreadding trusted certificates tocertificatestrustedtrusted certificateadding to the package keystorepkgadm commandadding trusted certificates to package keystoreA trusted certificate can be added to the package keystore using the pkgadm command. The certificate can be in PEM or DER format. For example:$ pkgadm addcert -t /tmp/mytrustedcert.pemIn this example, the PEM format certificate called mytrustedcert.pem is added to the package keystore. package keystoreadding user certificates and private keys tocertificatesuserpkgadm commandadding user certificate and private key to package keystoreprivate keyadding to package keystoreThe pkgadm command does not generate user certificates or private keys. User certificates and private keys are normally obtained from a Certificate Authority, such as Verisign. Or, they are generated locally as a self-signed certificate. Once the key and certificate are obtained, they can be imported into the package keystore using the pkgadm command. For example:pkgadm addcert -n myname -e /tmp/myprivkey.pem /tmp/mypubcert.pemIn this example, the following options are used:n myname Identifies the entity (myname) in the package keystore on which you wish to operate. The myname entity becomes the alias under which the objects are stored. e /tmp/myprivkey.pem Specifies the file that contains the private key. In this case, the file is myprivkey.pem, which is located in the /tmp directory. /tmp/mypubcert.pem Specifies the PEM format certificate file called mypubcert.pem. package keystoreverifying the contents package keystoreverifying contents ofpkgadm commandverifying package keystore contentsThe pkgadm command is also used to view the contents of the package keystore. For example:$ pkgadm listcertThis command displays the trusted certificates and private keys in the package keystore. trusted certificatedeleting from the package keystore certificatestrusted trusted certificatedeleting from the package keystorepackage keystoredeleting trusted certificates and private keys frompkgadm commanddeleting trusted certificates and private keysprivate keydeleting from package keystoreThe pkgadm command can be used to delete trusted certificates and private keys from the package keystore. When you delete user certificates, the alias of the certificate/key pair must be specified. For example:$ pkgadm removecert -n mynameThe alias of the certificate is the common name of the certificate, which can be identified using the pkgadm listcert command. For example, this command deletes a trusted certificate entitled Trusted CA Cert 1:$ pkgadm removecert -n "Trusted CA Cert 1"If you have both a trusted certificate and a user certificate stored using the same alias, they are both deleted when you specify the n option. signed packagehow to create The process of creating signed packages involves three basic steps:Creating an unsigned, directory-format package. Importing the signing certificate, CA certificates, and private key into the package keystore. Signing the package from Step 1 with the certificates from Step 2. The packaging tools do not create certificates. These certificates must be obtained from a Certificate Authority, such as Verisign or Thawte. Each step for creating signed packages is described in the following procedures. The procedure for creating an unsigned, directory-format package is the same as the procedure for creating a normal package, as previously described in this manual. The following procedure describes the process of creating this unsigned, directory-format package. If you need more information, refer to the previous sections about building packages. pkginfo filecreating a signed package, used in pkginfo commandcreating an unsigned packageCreate the pkginfo file.The pkginfo file should have the following basic content:PKG=SUNWfoo BASEDIR=/ NAME=My Test Package ARCH=sparc VERSION=1.0.0 CATEGORY=application prototype filecreating a signed package, used inCreate the prototype file.The prototye file should have the following basic content:$cat prototype i pkginfo d none usr 0755 root sys d none usr/bin 0755 root bin f none usr/bin/myapp=/tmp/myroot/usr/bin/myapp 0644 root bin List the contents of the object source directory. For example:$ ls -lR /tmp/myrootpkgmk commandcreating an unsigned packagein creating signed packagesThe output would appear similar to the following:/tmp/myroot: total 16 drwxr-xr-x 3 abc other 177 Jun 2 16:19 usr /tmp/myroot/usr: total 16 drwxr-xr-x 2 abc other 179 Jun 2 16:19 bin /tmp/myroot/usr/bin: total 16 -rw------- 1 abc other 1024 Jun 2 16:19 myapp Create the unsigned package.pkgmk -d `pwd`The output would appear similar to the following:## Building pkgmap from package prototype file. ## Processing pkginfo file. WARNING: parameter <PSTAMP> set to "syrinx20030605115507" WARNING: parameter <CLASSES> set to "none" ## Attempting to volumize 3 entries in pkgmap. part 1 -- 84 blocks, 7 entries ## Packaging one part. /tmp/SUNWfoo/pkgmap /tmp/SUNWfoo/pkginfo /tmp/SUNWfoo/reloc/usr/bin/myapp ## Validating control scripts. ## Packaging complete.The package now exists in the current directory. package keystoreimporting a certificate intocertificatesimporting into package keystoreprivate keyimporting into package keystoreThe certificate and private key to be imported must exist as a PEM- or DER-encoded X.509 certificate and private key. In addition, any intermediate or “chain” certificates linking your signing certificate to the Certificate Authority certificate must be imported into the package keystore before a package can be signed.pkgadm commandimporting certificates into package keystoreEach Certificate Authority can issue certificates in various formats. To extract the certificates and private key out of the PKCS12 file and into a PEM-encoded X.509 file (suitable for importing into the package keystore), use a freeware conversion utility such as OpenSSL. If your private key is encrypted (which should usually be the case), you are prompted for the passphrase. Also, you are prompted for a password to protect the resulting package keystore. You can optionally not supply any password, but doing so results in an unencrypted package keystore.The following procedure describes how to import the certificates using the pkgadm command once the certificate is in the proper format. Import all the Certificate Authority certificates found in your PEM- or DER-encoded X.509 certificate file.For example, to import all the Certificate Authority certificates found in the file ca.pem, you would type the following:$ pkgadm addcert -k ~/mykeystore -ty ca.pemThe output would appear similar to the following:Trusting certificate <VeriSign Class 1 CA Individual \ Subscriber-Persona Not Validated> Trusting certificate </C=US/O=VeriSign, Inc./OU=Class 1 Public \ Primary Certification Authority Type a Keystore protection Password. Press ENTER for no protection password (not recommended): For Verification: Type a Keystore protection Password. Press ENTER for no protection password (not recommended): Certificate(s) from <ca.pem> are now trustedIn order to import your signing key into the package keystore, you must supply an alias that is used later when signing the package. This alias can also be used if you want to delete the key from the package keystore. For example, to import your signing key from the file sign.pem, you would type the following:$ pkgadm addcert -k ~/mykeystore -n mycert sign.pemThe output would appear similar to the following:Enter PEM passphrase: Enter Keystore Password: Successfully added Certificate <sign.pem> with alias <mycert> Verify that the certificates are in the package keystore.For example, to view the certificates in the keystore created in the previous step, you would type the following:$ pkgadm listcert -k ~/mykeystore pkgtrans commandOnce the certificates are imported into the package keystore, you can now sign the package. The actual signing of the package is done using the pkgtrans command. Sign the package using the pkgtrans command. Supply the location of the unsigned package and the alias of the key to sign the package.For example, using the examples from the previous procedures, you would type the following to create a signed package called SUNWfoo.signed:$ pkgtrans -g -k ~/mykeystore -n mycert . ./SUNWfoo.signed SUNWfooThe output of this command would appear similar to the following:Retrieving signing certificates from keystore </home/user/mykeystore> Enter keystore password: Generating digital signature for signer <Test User> Transferring <SUNWfoot> package instanceThe signed package is created in the file SUNWfoo.signed and is in the package-stream format. This signed package is suitable for copying to a web site and being installed using the pkgadd command and a URL.