1.\" $OpenBSD: pkg_sign.1,v 1.8 2015/09/25 16:56:26 schwarze Exp $ 2.\" Copyright (c) 2014 Marc Espie <espie@openbsd.org> 3.\" 4.\" Permission to use, copy, modify, and distribute this software for any 5.\" purpose with or without fee is hereby granted, provided that the above 6.\" copyright notice and this permission notice appear in all copies. 7.\" 8.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 9.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 10.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 11.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 12.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 13.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15.\" 16.Dd $Mdocdate: September 25 2015 $ 17.Dt PKG_SIGN 1 18.Os 19.Sh NAME 20.Nm pkg_sign 21.Nd sign binary packages for distribution 22.Sh SYNOPSIS 23.Nm pkg_sign 24.Bk -words 25.Op Fl Cvi 26.Op Fl D Ar name Ns Op = Ns Ar value 27.Op Fl j Ar maxjobs 28.Op Fl o Ar dir 29.Fl s Cm signify Ns | Ns Cm x509 30.Op Fl s Ar cert 31.Fl s Ar privkey 32.Op Fl S Ar source 33.Op Ar pkg-name ... 34.Ek 35.Sh DESCRIPTION 36The 37.Nm 38command is used to sign existing collections of binary packages 39created by 40.Xr pkg_create 1 . 41.Pp 42It will sign the packages and optionally, produce a 43.Pa SHA256 44manifest file in the output directory. 45The options are as follows: 46.Bl -tag -width Ds 47.It Fl C 48Append 49.Xr sha256 1 50checksums to 51.Pa SHA256 52in the output directory, then sort it. 53.It Fl D Ar resign 54Allows signing over already signed packages. 55Obviously, this checks the existing signature first, 56so the 57.Fl D Ar SIGNER 58and 59.Fl D Ar nosig 60also apply with the same semantics as 61.Xr pkg_add 1 . 62.It Fl i 63Incremental mode. 64Ignore packages that are already in the output repository. 65Note that, in verbose mode, they will still show up as 66.Sq Signed 67in the listing. 68.It Fl j Ar maxjobs 69Sign existing packages in parallel. 70.It Fl o Ar dir 71Specify output directory for signing packages. 72Otherwise, unsigned packages are created in the current directory. 73.It Fl S Ar source 74Source repository for packages to be signed. 75This can be any url admissible for a 76.Ev PKG_PATH , 77so that it is possible to sign packages during a transfer, e.g., 78.Bd -literal -offset indent 79pkg_sign -s signify -s mykey-pkg.sec \e 80 -o output -S scp://build-machine/packages/ 81.Ed 82.It Xo 83.Fl s Cm signify Ns | Ns Cm x509 84.Op Fl s Ar cert 85.Fl s Ar privkey 86.Xc 87Specify signature parameters for signed packages. 88Option parameters are as follows: 89.Bl -tag -width signify|x509 -compact 90.It Cm signify Ns | Ns Cm x509 91choose 92.Xr signify 1 93or X.509-style signatures. 94.It Ar cert 95the path to the signer's certificate (X.509 only) 96.It Ar privkey 97the path to the signer's private key. 98For 99.Cm signify , 100the private key name is used to set the 101.Cm @signer 102annotation. 103If a corresponding public key is found, the first signatures will be 104checked for key mismatches. 105.El 106.Pp 107For X.509, the signer's certificate and the signer's private key 108should be generated using standard openssl x509 commands. 109This assumes the existence of a certificate authority (or several), whose 110public information is recorded as a 111.Pa /etc/ssl/pkgca.pem 112file. 113.It Fl v 114Turn on verbose output, display 115.Sq Signed output/pkg.tgz 116after each package is signed. 117.El 118.Sh SIGNATURE DETAILS 119The packing-list is extracted from the source package: 120it already contains a complete manifest of files within the package, 121checksummed with 122.Xr sha256 1 123and annotated with proper 124.Cm @mode , 125.Cm @user , 126.Cm @group 127annotations, so that 128.Xr pkg_add 1 129will refuse to give special rights to any file which isn't properly annotated, 130and so that it will abort on installation of a file whose checksum does not 131match. 132.Pp 133That packing list is a text file that is signed using the provided method, 134adding a 135.Cm @digital-signature 136annotation. 137The signed package is then created, by putting the signed packing-list at 138the start of the new package, and then blindly copying the rest of the source 139package: there is no need to re-checksum any of the files; 140if someone tampers with them later, their checksum will not match. 141.Sh SEE ALSO 142.Xr openssl 1 , 143.Xr pkg_add 1 , 144.Xr pkg_create 1 , 145.Xr sha256 1 , 146.Xr signify 1 , 147.Xr tar 1 , 148.Xr package 5 149.Sh HISTORY 150The 151.Nm 152command first appeared in 153.Ox 5.5 . 154.Sh AUTHORS 155.An Marc Espie 156