|PKG_SIGN(1)||General Commands Manual||PKG_SIGN(1)|
pkg_signcommand is used to sign existing collections of binary packages created by pkg_create(1). It will sign the packages and optionally, produce a SHA256 manifest file in the output directory. The options are as follows:
-Dnosig also apply with the same semantics as pkg_add(1).
PKG_PATH, so that it is possible to sign packages during a transfer, e.g.,
pkg_sign -s signify -s mykey-pkg.sec \ -o output -S scp://build-machine/packages/
signify, the private key name is used to set the
@signerannotation. If a corresponding public key is found, the first signatures will be checked for key mismatches.
@groupannotations, so that pkg_add(1) will refuse to give special rights to any file which isn't properly annotated, and so that it will abort on installation of a file whose checksum does not match. That packing list is a text file that is signed using the provided method, adding a
@digital-signatureannotation. The signed package is then created, by putting the signed packing-list at the start of the new package, and then blindly copying the rest of the source package: there is no need to re-checksum any of the files; if someone tampers with them later, their checksum will not match. openssl(1), pkg_add(1), pkg_create(1), sha256(1), signify(1), tar(1), package(5)
pkg_signcommand first appeared in OpenBSD 5.5. Marc Espie
|September 25, 2015||OpenBSD-6.0|