NAME
pkg_sign
—
sign binary packages for
distribution
SYNOPSIS
pkg_sign |
[-Cv ]
[-D name[=value]]
[-j maxjobs]
[-o dir] -s
signify|x509
[-s cert] -s
privkey
[-S source]
[pkg-name ...] |
DESCRIPTION
The pkg_sign
command is used to sign
existing collections of binary packages created by
pkg_create(1).
It will sign the packages and optionally, produce a SHA256 manifest file in the output directory. The options are as follows:
-C
- Append sha256(1) checksums to SHA256 in the output directory, then sort it.
-D
resign- Allows signing over already signed packages. Obviously, this checks the
existing signature first, so the
-D
SIGNER and-D
nosig also apply with the same semantics as pkg_add(1). -j
maxjobs- Sign existing packages in parallel.
-o
dir- Specify output directory for signing packages. Otherwise, unsigned packages are created in the current directory.
-S
source- Source repository for packages to be signed. This can be any url
admissible for a
PKG_PATH
, so that it is possible to sign packages during a transfer, e.g.,pkg_sign -s signify -s mykey-pkg.sec \ -o output -S scp://build-machine/packages/
-s
signify|x509 [-s
cert]-s
privkey- Specify signature parameters for signed packages. Option parameters are as
follows:
- signify|x509
- choose signify(1) or X.509-style signatures.
- cert
- the path to the signer's certificate (X.509 only)
- privkey
- the path to the signer's private key. For
signify, the private
key name is used to set the
@signer
annotation. If a corresponding public key is found, the first signatures will be checked for key mismatches.
For X.509, the signer's certificate and the signer's private key should be generated using standard openssl x509 commands. This assumes the existence of a certificate authority (or several), whose public information is recorded as a /etc/ssl/pkgca.pem file.
-v
- Turn on verbose output, display ‘Signed output/pkg.tgz’ after each package is signed.
SIGNATURE DETAILS
The packing-list is extracted from the source package: it already
contains a complete manifest of files within the package, checksummed with
sha256(1) and annotated with proper @mode
,
@user
, @group
annotations,
so that pkg_add(1) will refuse to give special rights to any file
which isn't properly annotated, and so that it will abort on installation of
a file whose checksum does not match.
That packing list is a text file that is signed using the provided
method, adding a @digital-signature
annotation. The
signed package is then created, by putting the signed packing-list at the
start of the new package, and then blindly copying the rest of the source
package: there is no need to re-checksum any of the files; if someone
tampers with them later, their checksum will not match.
SEE ALSO
openssl(1), pkg_add(1), pkg_create(1), signify(1), sha256(1), tar(1), package(5),
HISTORY
The pkg_sign
command first appeared in
OpenBSD 5.5.
AUTHORS
- Marc Espie