PKG_SIGN(1) | General Commands Manual | PKG_SIGN(1) |
pkg_sign
— sign
binary packages for distribution
pkg_sign |
[-Cvi ]
[-D name[=value]]
[-j maxjobs]
[-o dir] -s
signify2 -s
privkey
[-S source]
[pkg-name ...] |
The pkg_sign
command is used to sign
existing collections of binary packages created by
pkg_create(1).
It will sign the packages and optionally, produce a SHA256 manifest file in the output directory. The options are as follows:
-C
-i
-j
maxjobs-o
dir-S
source-s
signify2
-s
privkeysignify2
signify
, the private key name is used to set
the @signer
annotation. If a corresponding
public key is found, the first signatures will be checked for key
mismatches.-v
The signature is stored within the
gzip(1) comment, as plain text data,
according to signify(1)
-zS
mode. It contains the ed25519 signature, some
meta-information, and SHA512/256 checksums for each 64K block of compressed
data.
Additionally, for further manual checking, the packing-list
contains a complete manifest of files within the package, checksummed with
sha256(1) and annotated with proper
@mode
, @user
,
@group
annotations, so that
pkg_add(1) will refuse to give special
rights to any file which isn't properly annotated, and so that it will abort
on installation of a file whose checksum does not match.
Meta-information from
signify(1) gets inserted in the
packing-list during extraction, adding a
@digital-signature
annotation and a
@signer
annotation for further manual
inspection.
The pkg_sign
command first appeared in
OpenBSD 5.5. The signature process was completely
redesigned for OpenBSD 6.1.
Marc Espie
February 11, 2022 | OpenBSD-current |