The pkg_sign utility embeds a cryptographic signature within a gzip file file. type can be pgp (default), sha1, or x509. If type is pgp, it will always prompt you for a passphrase to unlock your private pgp key, even if you do not use a passphrase (which is a bad idea, anyway). If type is sha1, you must supply an id, which will be recorded as the name of the package, and printed as the SHA1 checksum.
The pkg_check utility checks that cryptographic signature. It currently disregards type and checks only the topmost signature. For sha1, it checksums the file and verifies that the result matches the list of checksums recorded in /var/db/pkg/SHA1.
Options -s and -c can be used to force package signing or signature checking mode.
For pgp, the id to use to sign the package or verify the signature can be forced with -u .
For x509, the signing key or verification certificate may be specified with the -k option. If not specified, packages are signed or verified with the default keys and certificates documented below.
If file is a single dash ('') or absent, pkg_sign reads from the standard input.
Package signing uses a feature of the gzip format, namely that one can set a flag EXTRA_FIELD in the gzip header and store extra data between the gzip header and the compressed file proper. The
.Ox signing scheme uses eight bytes markers such 'SIGPGP' + length or 'CKSHA1' + length for its signatures (those markers are conveniently eight bytes long).