sign binary packages for
pkg_sign command is used to sign
existing collections of binary packages created by
It will sign the packages and optionally, produce a SHA256 manifest file in the output directory. The options are as follows:
- Append sha256(1) checksums to SHA256 in the output directory, then sort it.
- Incremental mode. Ignore packages that are already in the output repository. Note that, in verbose mode, they will still show up as ‘Signed’ in the listing.
- Sign existing packages in parallel.
- Specify output directory for signing packages. Otherwise, signed packages are created in the current directory.
- Source repository for packages to be signed.
- Specify signature parameters for signed packages. Option parameters are as
- Choose signify(1) new style signatures, where the gzip(1) compressed data is signed.
- The path to the signer's private key. For
signify, the private key name is used to set the
@signerannotation. If a corresponding public key is found, the first signatures will be checked for key mismatches.
- Turn on verbose output, display ‘Signed output/pkg.tgz’ after each package is signed.
The signature is stored within the
gzip(1) comment, as plain text data, according to
-zS mode. It contains the ed25519
signature, some meta-information, and SHA512/256 checksums for each 64K
block of compressed data.
Additionally, for further manual checking, the packing-list
contains a complete manifest of files within the package, checksummed with
sha256(1) and annotated with proper
so that pkg_add(1) will refuse to give special rights to any file
which isn't properly annotated, and so that it will abort on installation of
a file whose checksum does not match.
signify(1) gets inserted in the packing list during extraction,
@digital-signature annotation and a
@signer annotation for further manual
cksum(1), pkg_add(1), signify(1), tar(1), package(5)
pkg_sign command first appeared in
OpenBSD 5.5. The signature process was completely
redesigned for OpenBSD 6.1.