binary packages for distribution
[-o dir] -s
[-s cert] -s
command is used to sign existing
collections of binary packages created by
It will sign the packages and optionally, produce a
manifest file in the output directory. The
options are as follows:
checksums to SHA256 in the output directory,
then sort it.
- Allows signing over already signed packages. Obviously,
this checks the existing signature first, so the
and -D nosig
also apply with the same semantics as
- Incremental mode. Ignore packages that are already in the
output repository. Note that, in verbose mode, they will still show up as
‘Signed’ in the listing.
- Sign existing packages in parallel.
- Specify output directory for signing packages. Otherwise,
unsigned packages are created in the current directory.
- Source repository for packages to be signed. This can be
any url admissible for a
that it is possible to sign packages during a transfer, e.g.,
pkg_sign -s signify -s mykey-pkg.sec \
-o output -S scp://build-machine/packages/
- Specify signature parameters for signed packages. Option
parameters are as follows:
For X.509, the signer's certificate and the signer's private key should be
generated using standard openssl x509 commands. This assumes the existence
of a certificate authority (or several), whose public information is
recorded as a /etc/ssl/pkgca.pem file.
or X.509-style signatures.
- the path to the signer's certificate (X.509 only)
- the path to the signer's private key. For
signify, the private key name is used to
set the @signer annotation. If a
corresponding public key is found, the first signatures will be
checked for key mismatches.
- Turn on verbose output, display ‘Signed
output/pkg.tgz’ after each package is signed.
The packing-list is extracted from the source package: it already contains a
complete manifest of files within the package, checksummed with
annotated with proper @mode
annotations, so that
refuse to give special rights to any file which isn't properly annotated, and
so that it will abort on installation of a file whose checksum does not match.
That packing list is a text file that is signed using the provided method,
adding a @digital-signature
signed package is then created, by putting the signed packing-list at the
start of the new package, and then blindly copying the rest of the source
package: there is no need to re-checksum any of the files; if someone tampers
with them later, their checksum will not match.
command first appeared in