1.\" $OpenBSD: pkg_sign.1,v 1.13 2022/02/11 15:36:40 espie Exp $ 2.\" Copyright (c) 2014 Marc Espie <espie@openbsd.org> 3.\" 4.\" Permission to use, copy, modify, and distribute this software for any 5.\" purpose with or without fee is hereby granted, provided that the above 6.\" copyright notice and this permission notice appear in all copies. 7.\" 8.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 9.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 10.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 11.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 12.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 13.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15.\" 16.Dd $Mdocdate: February 11 2022 $ 17.Dt PKG_SIGN 1 18.Os 19.Sh NAME 20.Nm pkg_sign 21.Nd sign binary packages for distribution 22.Sh SYNOPSIS 23.Nm pkg_sign 24.Bk -words 25.Op Fl Cvi 26.Op Fl D Ar name Ns Op = Ns Ar value 27.Op Fl j Ar maxjobs 28.Op Fl o Ar dir 29.Fl s Cm signify2 30.Fl s Ar privkey 31.Op Fl S Ar source 32.Op Ar pkg-name ... 33.Ek 34.Sh DESCRIPTION 35The 36.Nm 37command is used to sign existing collections of binary packages 38created by 39.Xr pkg_create 1 . 40.Pp 41It will sign the packages and optionally, produce a 42.Pa SHA256 43manifest file in the output directory. 44The options are as follows: 45.Bl -tag -width Ds 46.It Fl C 47Append 48.Xr sha256 1 49checksums to 50.Pa SHA256 51in the output directory, then sort it. 52.It Fl i 53Incremental mode. 54Ignore packages that are already in the output repository. 55Note that, in verbose mode, they will still show up as 56.Sq Signed 57in the listing. 58.It Fl j Ar maxjobs 59Sign existing packages in parallel. 60.It Fl o Ar dir 61Specify output directory for signing packages. 62Otherwise, signed packages are created in the current directory. 63.It Fl S Ar source 64Source repository for packages to be signed. 65.It Xo 66.Fl s Cm signify2 67.Fl s Ar privkey 68.Xc 69Specify signature parameters for signed packages. 70Option parameters are as follows: 71.Bl -tag -width signify2 72.It Cm signify2 73Choose 74.Xr signify 1 75new style signatures, where the 76.Xr gzip 1 77compressed data is signed. 78.It Ar privkey 79The path to the signer's private key. 80For 81.Cm signify , 82the private key name is used to set the 83.Cm @signer 84annotation. 85If a corresponding public key is found, the first signatures will be 86checked for key mismatches. 87.El 88.It Fl v 89Turn on verbose output, display 90.Sq Signed output/pkg.tgz 91after each package is signed. 92.El 93.Sh SIGNATURE DETAILS 94The signature is stored within the 95.Xr gzip 1 96comment, as plain text data, according to 97.Xr signify 1 98.Fl zS 99mode. 100It contains the ed25519 signature, some meta-information, 101and 102SHA512/256 checksums for each 64K block of compressed data. 103.Pp 104Additionally, for further manual checking, the packing-list contains 105a complete manifest of files within the package, 106checksummed with 107.Xr sha256 1 108and annotated with proper 109.Cm @mode , 110.Cm @user , 111.Cm @group 112annotations, so that 113.Xr pkg_add 1 114will refuse to give special rights to any file which isn't properly annotated, 115and so that it will abort on installation of a file whose checksum does not 116match. 117.Pp 118Meta-information from 119.Xr signify 1 120gets inserted in the packing-list during extraction, 121adding a 122.Cm @digital-signature 123annotation and a 124.Cm @signer 125annotation for further manual inspection. 126.Sh SEE ALSO 127.Xr cksum 1 , 128.Xr pkg_add 1 , 129.Xr signify 1 , 130.Xr tar 1 , 131.Xr package 5 132.Sh HISTORY 133The 134.Nm 135command first appeared in 136.Ox 5.5 . 137The signature process was completely redesigned for 138.Ox 6.1 . 139.Sh AUTHORS 140.An Marc Espie 141