binary packages for distribution
[-o dir] -s
command is used to sign existing
collections of binary packages created by
It will sign the packages and optionally, produce a
manifest file in the output directory. The
options are as follows:
sha256(1) checksums to
SHA256 in the output directory, then sort
- Incremental mode. Ignore packages that are already in the
output repository. Note that, in verbose mode, they will still show up as
‘Signed’ in the listing.
- Sign existing packages in parallel.
- Specify output directory for signing packages. Otherwise,
unsigned packages are created in the current directory.
- Source repository for packages to be signed.
- Specify signature parameters for signed packages. Option
parameters are as follows:
signify(1) new style
signatures, where the
gzip(1) compressed data is
- The path to the signer's private key. For
signify, the private key name is used to
set the @signer annotation. If a
corresponding public key is found, the first signatures will be
checked for key mismatches.
- Turn on verbose output, display ‘Signed
output/pkg.tgz’ after each package is signed.
The signature is stored within the
comment, as plain text
data, according to signify(1)
mode. It contains the ed25519 signature, some
meta-information, and SHA512/256 checksums for each 64K block of compressed
Additionally, for further manual checking, the packing-list contains a complete
manifest of files within the package, checksummed with
and annotated with
annotations, so that
will refuse to give
special rights to any file which isn't properly annotated, and so that it will
abort on installation of a file whose checksum does not match.
Meta-information from signify(1)
gets inserted in the packing list during extraction, adding a
annotation and a
annotation for further manual inspection.
command first appeared in
. The signature process was completely
redesigned for OpenBSD 6.1