pkg_sign(1)

NAME

pkg_sign, pkg_check - handle package signatures

SYNOPSIS

pkg_sign [-sc] [-t type] [-u id] [-k key] [file ...]
pkg_check [-sc] [-u id] [-k cert] [file ...]

DESCRIPTION

The pkg_sign utility embeds a cryptographic signature within
a gzip file
file. type can be pgp (default), sha1, or x509. If type is
pgp, it will
always prompt you for a passphrase to unlock your private
pgp key, even
if you do not use a passphrase (which is a bad idea, any
way). If type is
sha1, you must supply an id, which will be recorded as the
name of the
package, and printed as the SHA1 checksum.
The pkg_check utility checks that cryptographic signature.
It currently
disregards type and checks only the topmost signature. For
sha1, it
checksums the file and verifies that the result matches the
list of
checksums recorded in /var/db/pkg/SHA1.
Options -s and -c can be used to force package signing or
signature
checking mode.
For pgp, the id to use to sign the package or verify the
signature can be
forced with -u.
For x509, the signing key or verification certificate may be
specified
with the -k option. If not specified, packages are signed
or verified
with the default keys and certificates documented below.
If file is a single dash (`-') or absent, pkg_sign reads
from the standard input.
Package signing uses a feature of the gzip format, namely
that one can
set a flag EXTRA_FIELD in the gzip header and store extra
data between
the gzip header and the compressed file proper. The OpenBSD
signing
scheme uses eight bytes markers such `SIGPGP' + length or
`CKSHA1' +
length for its signatures (those markers are conveniently
eight bytes
long).

FILES

file.sign Temporary file built by pkg_sign from
file.
/usr/local/bin/pgp Default path to pgp(1).
/var/db/pkgs/SHA1 Recorded checksums.
/etc/ssl/pkg.key Default package signing key.
/etc/ssl/pkg.crt Default package verification certifi
cate(s).

EXIT STATUS

The pkg_sign and pkg_check utilities return with an exit
code >0 if anything went wrong for any file. For pkg_check, this usually
indicates
that the package is not signed, or that the signature is
forged.

DIAGNOSTICS

File %s is already signed There is a signature embedded
within the gzip
file already. The pkg_sign utility currently does not han
dle multiple
signatures.
File %s is not a signed gzip file This is an unsigned pack
age.
File %s is not a gzip file The program could not find a
proper gzip
header.
File %s contains an unknown extension The extended area of
the gzip file
has been used for an unknown purpose.
File %s uses old signatures, no longer supported The gzip
file uses a
very early version of package signing that was substantially
slower.

SEE ALSO

gzip(1), pgp(1), pkg_add(1), sha1(1)

AUTHORS

A pkg_sign utility was created by Marc Espie for the OpenBSD
Project.
X.509 signatures and FreeBSD support added by Wes Peters
<wes@softweyr.com>.

BUGS

The pgp(1) utility is an ill-designed program, which is hard
to interface
with. For instance, the `separate signing scheme' it pre
tends to offer
is useless, as it cannot be used with pipes, so that
pgp_sign needs to
kludge it by knowing the length of a pgp signature, and in
voking pgp in
`seamless' signature mode, without compression of the main
file, and just
retrieving the signature.
The checking scheme is little less convoluted, namely we re
build the file
that pgp expects on the fly.
Paths to pgp and the checksum file are hard-coded to avoid
tampering and
hinder flexibility.
BSD September 24, 1999

BSD

Copyright © 2010-2025 Platon Technologies, s.r.o.           Index | Man stránky | tLDP | Dokumenty | Utilitky | O projekte
Design by styleshout