Manual Page Search Parameters

PKG_SIGN(1) General Commands Manual PKG_SIGN(1)


pkg_signsign binary packages for distribution


pkg_sign [-Cvi] [-D name[=value]] [-j maxjobs] [-o dir-s signify|x509 [-s cert-s privkey [-S source] [pkg-name ...]


The pkg_sign command is used to sign existing collections of binary packages created by pkg_create(1).
It will sign the packages and optionally, produce a SHA256 manifest file in the output directory. The options are as follows:
Append sha256(1) checksums to SHA256 in the output directory, then sort it.
-D resign
Allows signing over already signed packages. Obviously, this checks the existing signature first, so the -D SIGNER and -D nosig also apply with the same semantics as pkg_add(1).
Incremental mode. Ignore packages that are already in the output repository. Note that, in verbose mode, they will still show up as ‘Signed’ in the listing.
-j maxjobs
Sign existing packages in parallel.
-o dir
Specify output directory for signing packages. Otherwise, unsigned packages are created in the current directory.
-S source
Source repository for packages to be signed. This can be any url admissible for a PKG_PATH, so that it is possible to sign packages during a transfer, e.g.,
pkg_sign -s signify -s mykey-pkg.sec \ 
	-o output -S scp://build-machine/packages/
-s signify|x509 [-s cert] -s privkey
Specify signature parameters for signed packages. Option parameters are as follows:
choose signify(1) or X.509-style signatures.
the path to the signer's certificate (X.509 only)
the path to the signer's private key. For signify, the private key name is used to set the @signer annotation. If a corresponding public key is found, the first signatures will be checked for key mismatches.
For X.509, the signer's certificate and the signer's private key should be generated using standard openssl x509 commands. This assumes the existence of a certificate authority (or several), whose public information is recorded as a /etc/ssl/pkgca.pem file.
Turn on verbose output, display ‘Signed output/pkg.tgz’ after each package is signed.


The packing-list is extracted from the source package: it already contains a complete manifest of files within the package, checksummed with sha256(1) and annotated with proper @mode, @user, @group annotations, so that pkg_add(1) will refuse to give special rights to any file which isn't properly annotated, and so that it will abort on installation of a file whose checksum does not match.
That packing list is a text file that is signed using the provided method, adding a @digital-signature annotation. The signed package is then created, by putting the signed packing-list at the start of the new package, and then blindly copying the rest of the source package: there is no need to re-checksum any of the files; if someone tampers with them later, their checksum will not match.


openssl(1), pkg_add(1), pkg_create(1), sha256(1), signify(1), tar(1), package(5)


The pkg_sign command first appeared in OpenBSD 5.5.


Marc Espie
September 25, 2015 OpenBSD-6.0