Skip site navigation (1)Skip section navigation (2)

FreeBSD Man Pages

Man Page or Keyword Search:
Man Architecture
Apropos Keyword Search (all sections) Output format
home | help
PKG-REPO(8)             FreeBSD System Manager's Manual            PKG-REPO(8)

     pkg repo - creates a package repository catalogue

     pkg repo [-lq] [-o output-dir]
              <repo-path> [<rsa-key> | signing_command: <the command>]

     pkg repo is used for creating a catalogue of the available packages in a
     repository.  pkg repo catalogues are necessary for sharing your package
     repository with other people.

     When pkg repo is invoked it creates a package repository catalogue
     (repo.sqlite), with an optional cryptographic signature, as a compressed
     tarball (repo.txz).  Repository users download and cache this on their
     local machines, for fast lookup of available packages by programs such as

     To create a package repository catalogue you must specify the top-level
     directory where all the packages are stored as repo-path.  pkg repo will
     search the filesystem beneath repo-path to find all the packages it
     contains.  Symbolic links are ignored, and only the most recent package
     for each origin is included in the catalogue.

     The repository will be created in the package directory unless the -o
     output-dir is specified, in which case it will be created there.

     Optionally you may sign the repository catalogue by specifying the path
     to an RSA private key as the rsa-key argument or an external command.

     If rsa-key is used, the SHA256 of the repository is signed using the
     provided key.  The signature is added into the repository catalogue.  The
     client side should use SIGNATURE_TYPE set to PUBKEY and PUBKEY set to a
     local path of the public key in its pkg.conf.

     An external command can be useful to create a signing server to keep the
     private key separate from the repository.  The external command is passed
     the SHA256 of the repository catalogue on its stdin.  It should output
     the following format:

           signature data here
           public key data here

     When using an external command, the client's pkg.conf must have
     SIGNATURE_TYPE set to FINGERPRINTS and FINGERPRINTS set to a directory
     having a trusted/myrepo containing a fingerprint style representation of
     the public key:

           function: sha256
           fingerprint: sha256_representation_of_the_public_key

     See EXAMPLES section and pkg.conf(5) for more information.

     Signing the catalogue is strongly recommended.

     The following options are supported by pkg repo:

     -q  Force quiet output

     -l  Generate list of all files in repo as filesite.txz archive.

     -o output-dir
         Create the repository in the specified directory instead of the
         package directory.

     The following environment variables affect the execution of pkg repo.
     See pkg.conf(5) for further description.


     See pkg.conf(5).

     pkg.conf(5), pkg(8), pkg-add(8), pkg-annotate(8), pkg-audit(8),
     pkg-autoremove(8), pkg-backup(8), pkg-check(8), pkg-clean(8),
     pkg-config(8), pkg-convert(8), pkg-create(8), pkg-delete(8),
     pkg-fetch(8), pkg-info(8), pkg-install(8), pkg-lock(8), pkg-query(8),
     pkg-register(8), pkg-rquery(8), pkg-search(8), pkg-set(8), pkg-shell(8),
     pkg-shlib(8), pkg-stats(8), pkg-update(8), pkg-updating(8),
     pkg-upgrade(8), pkg-version(8), pkg-which(8)

     Create an RSA key pair:

           % openssl genrsa -out repo.key 2048
           % chmod 0400 repo.key
           % openssl rsa -in repo.key -out -pubout

     Create a repository and sign it with a local RSA key.  The public key
     would be shared on all client servers with SIGNATURE_TYPE set to PUBKEY
     and its path set via PUBKEY setting in the pkg.conf(5):

           pkg repo /usr/ports/packages repo.key

     Create a repository and sign it with an external command.  The client
     should set, via pkg.conf(5), SIGNATURE_TYPE to FINGERPRINTS and
     FINGERPRINTS to a path containing a file with the SHA256 of the public

           # On signing server:
           % cat > << EOF
           read -t 2 sum
           [ -z "$sum" ] && exit 1
           echo SIGNATURE
           echo -n $sum | /usr/bin/openssl dgst -sign repo.key -sha256 -binary
           echo CERT
           echo END

           # On package server:
           % pkg repo /usr/ports/packages signing_command: ssh signing-server
           # Generate fingerprint for sharing with clients
           % sh -c '( echo "function: sha256"; echo "fingerprint: $(sha256 -q"; ) > fingerprint'
           # The 'fingerprint' file should be distributed to all clients.

           # On clients with FINGERPRINTS: /usr/local/etc/pkg/fingerprints/myrepo:
           $ mkdir -p /usr/local/etc/pkg/fingerprints/myrepo/trusted
           # Add 'fingerprint' into /usr/local/etc/pkg/fingerprints/myrepo/trusted

FreeBSD 11.0-PRERELEASE        November 12, 2013       FreeBSD 11.0-PRERELEASE


Want to link to this manual page? Use this URL:

home | help