NAME
pkg_sign
—
sign binary packages for
distribution
SYNOPSIS
pkg_sign |
[-Cvi ]
[-D name[=value]]
[-j maxjobs]
[-o dir] -s
signify2 -s
privkey
[-S source]
[pkg-name ...] |
DESCRIPTION
The pkg_sign
command is used to sign
existing collections of binary packages created by
pkg_create(1).
It will sign the packages and optionally, produce a SHA256 manifest file in the output directory. The options are as follows:
-C
- Append sha256(1) checksums to SHA256 in the output directory, then sort it.
-i
- Incremental mode. Ignore packages that are already in the output repository. Note that, in verbose mode, they will still show up as ‘Signed’ in the listing.
-j
maxjobs- Sign existing packages in parallel.
-o
dir- Specify output directory for signing packages. Otherwise, unsigned packages are created in the current directory.
-S
source- Source repository for packages to be signed.
-s
signify2
-s
privkey- Specify signature parameters for signed packages. Option parameters are as
follows:
signify2
- Choose signify(1) new style signatures, where the gzip(1) compressed data is signed.
- privkey
- The path to the signer's private key. For
signify
, the private key name is used to set the@signer
annotation. If a corresponding public key is found, the first signatures will be checked for key mismatches.
-v
- Turn on verbose output, display ‘Signed output/pkg.tgz’ after each package is signed.
SIGNATURE DETAILS
The signature is stored within the
gzip(1) comment, as plain text data, according to
signify(1) -zS
mode. It contains the ed25519
signature, some meta-information, and SHA512/256 checksums for each 64K
block of compressed data.
Additionally, for further manual checking, the packing-list
contains a complete manifest of files within the package, checksummed with
sha256(1) and annotated with proper @mode
,
@user
, @group
annotations,
so that pkg_add(1) will refuse to give special rights to any file
which isn't properly annotated, and so that it will abort on installation of
a file whose checksum does not match.
Meta-information from
signify(1) gets inserted in the packing list during extraction,
adding a @digital-signature
annotation and a
@signer
annotation for further manual
inspection.
SEE ALSO
HISTORY
The pkg_sign
command first appeared in
OpenBSD 5.5. The signature process was completely
redesigned for OpenBSD 6.1.
AUTHORS
Marc Espie