sign binary packages for
pkg_sign command is used to sign
existing collections of binary packages created by
It will sign the packages and optionally, produce a SHA256 manifest file in the output directory. The options are as follows:
- Append sha256(1) checksums to SHA256 in the output directory, then sort it.
- Allows signing over already signed packages. Obviously, this checks the
existing signature first, so the
-Dnosig also apply with the same semantics as pkg_add(1).
- Incremental mode. Ignore packages that are already in the output repository. Note that, in verbose mode, they will still show up as ‘Signed’ in the listing.
- Sign existing packages in parallel.
- Specify output directory for signing packages. Otherwise, unsigned packages are created in the current directory.
- Source repository for packages to be signed. This can be any url
admissible for a
PKG_PATH, so that it is possible to sign packages during a transfer, e.g.,
pkg_sign -s signify -s mykey-pkg.sec \ -o output -S scp://build-machine/packages/
- Specify signature parameters for signed packages. Option parameters are as
- choose signify(1) or X.509-style signatures.
- the path to the signer's certificate (X.509 only)
- the path to the signer's private key. For
signify, the private
key name is used to set the
@signerannotation. If a corresponding public key is found, the first signatures will be checked for key mismatches.
For X.509, the signer's certificate and the signer's private key should be generated using standard openssl x509 commands. This assumes the existence of a certificate authority (or several), whose public information is recorded as a /etc/ssl/pkgca.pem file.
- Turn on verbose output, display ‘Signed output/pkg.tgz’ after each package is signed.
The packing-list is extracted from the source package: it already
contains a complete manifest of files within the package, checksummed with
sha256(1) and annotated with proper
so that pkg_add(1) will refuse to give special rights to any file
which isn't properly annotated, and so that it will abort on installation of
a file whose checksum does not match.
That packing list is a text file that is signed using the provided
method, adding a
@digital-signature annotation. The
signed package is then created, by putting the signed packing-list at the
start of the new package, and then blindly copying the rest of the source
package: there is no need to re-checksum any of the files; if someone
tampers with them later, their checksum will not match.
openssl(1), pkg_add(1), pkg_create(1), sha256(1), signify(1), tar(1), package(5)
pkg_sign command first appeared in