|PKG_SIGN(1)||General Commands Manual||PKG_SIGN(1)|
pkg_signcommand is used to sign existing collections of binary packages created by pkg_create(1).
It will sign the packages and optionally, produce a SHA256 manifest file in the output directory. The options are as follows:
signify, the private key name is used to set the
@signerannotation. If a corresponding public key is found, the first signatures will be checked for key mismatches.
-zSmode. It contains the ed25519 signature, some meta-information, and SHA512/256 checksums for each 64K block of compressed data.
Additionally, for further manual checking, the packing-list
contains a complete manifest of files within the package, checksummed with
sha256(1) and annotated with proper
@group annotations, so that
pkg_add(1) will refuse to give special
rights to any file which isn't properly annotated, and so that it will abort
on installation of a file whose checksum does not match.
signify(1) gets inserted in the packing
list during extraction, adding a
annotation and a
@signer annotation for further
pkg_signcommand first appeared in OpenBSD 5.5. The signature process was completely redesigned for OpenBSD 6.1. Marc Espie
|July 10, 2018||OpenBSD-current|