OpenSolaris

1. Community: OS/Net (ON)
   1. Blogs
   2. Development Process
   3. Developer's Reference
      1. Introduction
      2. Prerequisites
      3. The Source Tree, part 1
      4. The Source Tree, part 2
      5. Building OpenSolaris
      6. Installing and Testing OpenSolaris
      7. Integration Procedure
      8. Best Practices and Requirements
      9. Glossary
   4. Discussions
   5. Installation (from source) Quickstart
      1. Annotated nightly(1) Mail Example
   6. Currently Known Issues
   7. CRT
      1. Advocates & Sponsors
      2. Becoming a CRT Advocate
      3. Charter
      4. RTI nits to avoid
      5. Sponsor Tasks
      6. Becoming a Sponsor
   8. Schedule
   9. ONNV Flag Days, Heads Ups, and Project Integration History
      1. All
      2. Builds 91-95
      3. Builds 86-90
      4. Builds 81-85
      5. Builds 76-80
      6. Builds 71-75
      7. Builds 66-70
      8. Builds 61-65
      9. Builds 56-60
      10. Builds 51-55
      11. Builds 46-50
      12. Builds 41-45
      13. Builds 36-40
      14. Builds 31-35
      15. Builds 26-30
      16. Builds 21-25
   10. Leaders
   11. Observers
   12. Putback Logs
   13. Developing Solaris
       1. Quality Death Spiral
   14. wx
   15. findunref and unreferenced files
   16. Bourne/Korn Shell Coding Conventions

Heads Up: elfsign verification errors

Date: Mon, 9 Apr 2007 15:06:11 -0700 (PDT)
From: Valerie Anne Bubb <Valerie.Bubb at Sun dot COM>
To: onnv-gate at onnv dot eng dot sun dot com
Subject: Heads Up: elfsign verification errors

If you are seeing errors like:

Apr  9 14:57:23 elpaso kcfd[100148]: [ID 821307 user.error] kcfd: unable to find a certificate for DN: O=Sun Microsystems Inc, OU=Solaris Cryptographic Framework, CN=SunOS 5.10
Apr  9 14:57:23 elpaso ssh[648350]: [ID 290454 user.error] libpkcs11: /usr/lib/security/pkcs11_softtoken_extra.so unexpected failure in ELF signature verification. System may have been tampered with. See cryptoadm(1M). Skipping this plug-in.
Apr  9 14:57:23 elpaso ssh[648350]: [ID 530472 user.error] Kerberos mechanism library initialization error: krb5 conf file not configured.

in /var/adm/messages file, or find that you cannot run commands like
digest or encrypt, you likely have an old certificate hanging around
on your machine.  The recent changes to elfsign to use libkmf
("6246343 elfsign should not depend on libike") trigered an unexpected
side effect on some machines.

Simply logging in as root and removing /etc/crypto/certs/SUNW_SunOS_5.10.1
will resolve this issue for you.

sorry for the hassle,

Valerie
-- 
Valerie Bubb, http://blogs.sun.com/bubbva
Solaris Security Technologies,  Developer, Sun Microsystems, Inc.
17 Network Circle, Menlo Park, CA, 94025. 650-786-0461