Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
PKG_SIGN(1)		  BSD General Commands Manual		   PKG_SIGN(1)

     pkg_sign, pkg_check -- handle package signatures

     pkg_sign [-sc] [-t	type] [-u id] [-k key] [file ...]
     pkg_check [-sc] [-u id] [-k cert] [file ...]

     The pkg_sign utility embeds a cryptographic signature within a gzip file
     file.  type can be	pgp (default), sha1, or	x509.  If type is pgp, it will
     always prompt you for a passphrase	to unlock your private pgp key,	even
     if	you don't use a	passphrase (which is a bad idea, anyway).  If type is
     sha1, you must supply an id, which	will be	recorded as the	name of	the
     package, and printed as the SHA1 checksum.

     The pkg_check utility checks that cryptographic signature.	 It currently
     disregards	type and checks	only the topmost signature.  For sha1, it
     checksums the file	and verifies that the result matches the list of
     checksums recorded	in /var/db/pkg/SHA1.

     Options -s	and -c can be used to force package signing or signature
     checking mode.

     For pgp, the id to	use to sign the	package	or verify the signature	can be
     forced with -u.

     For x509, the signing key or verification certificate may be specified
     with the -k option.  If not specified, packages are signed	or verified
     with the default keys and certificates documented below.

     If	file is	a single dash (`-') or absent, pkg_sign	reads from the stan-
     dard input.

     Package signing uses a feature of the gzip	format,	namely that one	can
     set a flag	EXTRA_FIELD in the gzip	header and store extra data between
     the gzip header and the compressed	file proper.  The OpenBSD signing
     scheme uses eight bytes markers such `SIGPGP' + length or `CKSHA1'	+
     length for	its signatures (those markers are conveniently eight bytes

     The pkg_sign and pkg_check	utilities return with an exit code >0 if any-
     thing went	wrong for any file.  For pkg_check, this usually indicates
     that the package is not signed, or	that the signature is forged.

     File %s is	already	signed	There is a signature embedded within the gzip
     file already.  The	pkg_sign utility currently does	not handle multiple

     File %s is	not a signed gzip file	This is	an unsigned package.

     File %s is	not a gzip file	 The program couldn't find a proper gzip

     File %s contains an unknown extension  The	extended area of the gzip file
     has been used for an unknown purpose.

     File %s uses old signatures, no longer supported  The gzip	file uses a
     very early	version	of package signing that	was substantially slower.

     The pgp(1)	utility	is an ill-designed program, which is hard to interface
     with.  For	instance, the `separate	signing	scheme'	it pretends to offer
     is	useless, as it can't be	used with pipes, so that pgp_sign needs	to
     kludge it by knowing the length of	a pgp signature, and invoking pgp in
     `seamless'	signature mode,	without	compression of the main	file, and just
     retrieving	the signature.

     The checking scheme is little less	convoluted, namely we rebuild the file
     that pgp expects on the fly.

     Paths to pgp and the checksum file	are hard-coded to avoid	tampering and
     hinder flexibility.

     file.sign		 Temporary file	built by pkg_sign from file.
     /usr/local/bin/pgp	 Default path to pgp(1).
     /var/db/pkgs/SHA1	 Recorded checksums.
     /etc/ssl/pkg.key	 Default package signing key.
     /etc/ssl/pkg.crt	 Default package verification certificate(s).

     gzip(1), pgp(1), pkg_add(1), sha1(1)

     A pkg_sign	utility	was created by Marc Espie for the OpenBSD Project.
     X.509 signatures and FreeBSD support added	by Wes Peters

BSD			      September	24, 1999			   BSD


Want to link to this manual page? Use this URL:

home | help