OpenBSD manual page server

Manual Page Search Parameters
PKG_SIGN(1) General Commands Manual PKG_SIGN(1)

pkg_signsign binary packages for distribution

pkg_sign [-Cvi] [-D name[=value]] [-j maxjobs] [-o dir-s signify2 -s privkey [-S source] [pkg-name ...]

The pkg_sign command is used to sign existing collections of binary packages created by pkg_create(1).

It will sign the packages and optionally, produce a SHA256 manifest file in the output directory. The options are as follows:

Append sha256(1) checksums to SHA256 in the output directory, then sort it.
Incremental mode. Ignore packages that are already in the output repository. Note that, in verbose mode, they will still show up as ‘Signed’ in the listing.
maxjobs
Sign existing packages in parallel.
dir
Specify output directory for signing packages. Otherwise, signed packages are created in the current directory.
source
Source repository for packages to be signed.
signify2 -s privkey
Specify signature parameters for signed packages. Option parameters are as follows:
Choose signify(1) new style signatures, where the gzip(1) compressed data is signed.
privkey
The path to the signer's private key. For signify, the private key name is used to set the @signer annotation. If a corresponding public key is found, the first signatures will be checked for key mismatches.
Turn on verbose output, display ‘Signed output/pkg.tgz’ after each package is signed.

The signature is stored within the gzip(1) comment, as plain text data, according to signify(1) -zS mode. It contains the ed25519 signature, some meta-information, and SHA512/256 checksums for each 64K block of compressed data.

Additionally, for further manual checking, the packing-list contains a complete manifest of files within the package, checksummed with sha256(1) and annotated with proper @mode, @user, @group annotations, so that pkg_add(1) will refuse to give special rights to any file which isn't properly annotated, and so that it will abort on installation of a file whose checksum does not match.

Meta-information from signify(1) gets inserted in the packing-list during extraction, adding a @digital-signature annotation and a @signer annotation for further manual inspection.

cksum(1), pkg_add(1), signify(1), tar(1), package(5)

The pkg_sign command first appeared in OpenBSD 5.5. The signature process was completely redesigned for OpenBSD 6.1.

Marc Espie

February 11, 2022 OpenBSD-current