:man| Alphabetical   Categories   About us 
PKG_SIGN (1) | General commands | Unix Manual Pages | :man


pkg_sign, pkg_check - handle package signatures


Exit Status
See Also


pkg_sign [-sc] [-t type] [-u id] [-k key] [] pkg_check [-sc] [-u id] [-k cert] []


The pkg_sign utility embeds a cryptographic signature within a gzip file file. type can be pgp (default), sha1, or x509. If type is pgp, it will always prompt you for a passphrase to unlock your private pgp key, even if you do not use a passphrase (which is a bad idea, anyway). If type is sha1, you must supply an id, which will be recorded as the name of the package, and printed as the SHA1 checksum.

The pkg_check utility checks that cryptographic signature. It currently disregards type and checks only the topmost signature. For sha1, it checksums the file and verifies that the result matches the list of checksums recorded in /var/db/pkg/SHA1.

Options -s and -c can be used to force package signing or signature checking mode.

For pgp, the id to use to sign the package or verify the signature can be forced with -u .

For x509, the signing key or verification certificate may be specified with the -k option. If not specified, packages are signed or verified with the default keys and certificates documented below.

If file is a single dash ('') or absent, pkg_sign reads from the standard input.

Package signing uses a feature of the gzip format, namely that one can set a flag EXTRA_FIELD in the gzip header and store extra data between the gzip header and the compressed file proper. The
.Ox signing scheme uses eight bytes markers such 'SIGPGP' + length or 'CKSHA1' + length for its signatures (those markers are conveniently eight bytes long).


file.sign Temporary file built by pkg_sign from file.
/usr/local/bin/pgp Default path to pgp(1).
/var/db/pkgs/SHA1 Recorded checksums.
/etc/ssl/pkg.key Default package signing key.
/etc/ssl/pkg.crt Default package verification certificate(s).


The pkg_sign and pkg_check utilities return with an exit code >0 if anything went wrong for any file. For pkg_check, this usually indicates that the package is not signed, or that the signature is forged.


"File %s is already signed" There is a signature embedded within the gzip file already. The pkg_sign utility currently does not handle multiple signatures.
"File %s is not a signed gzip file" This is an unsigned package.
"File %s is not a gzip file" The program could not find a proper gzip header.
"File %s contains an unknown extension" The extended area of the gzip file has been used for an unknown purpose.
"File %s uses old signatures, no longer supported" The gzip file uses a very early version of package signing that was substantially slower.


gzip(1), pgp(1), pkg_add(1), sha1(1)




Created by Blin Media, 2008-2013