IPnom Home • Manuals • FreeBSD

 FreeBSD Man Pages

Man Sections:Commands (1)System Calls (2)Library Functions (3)Device Drivers (4)File Formats (5)Miscellaneous (7)System Utilities (8)
Keyword Live Search (10 results max):
 Type in part of a command in the search box.


pkg_sign, pkg_check -- handle package signatures


     pkg_sign [-sc] [-t type] [-u id] [-k key] [file ...]
     pkg_check [-sc] [-u id] [-k cert] [file ...]


     The pkg_sign utility embeds a cryptographic signature within a gzip file
     file.  type can be pgp (default), sha1, or x509.  If type is pgp, it will
     always prompt you for a passphrase to unlock your private pgp key, even
     if you don't use a passphrase (which is a bad idea, anyway).  If type is
     sha1, you must supply an id, which will be recorded as the name of the
     package, and printed as the SHA1 checksum.

     The pkg_check utility checks that cryptographic signature.  It currently
     disregards type and checks only the topmost signature.  For sha1, it
     checksums the file and verifies that the result matches the list of
     checksums recorded in /var/db/pkg/SHA1.

     Options -s and -c can be used to force package signing or signature
     checking mode.

     For pgp, the id to use to sign the package or verify the signature can be
     forced with -u.

     For x509, the signing key or verification certificate may be specified
     with the -k option.  If not specified, packages are signed or verified
     with the default keys and certificates documented below.

     If file is a single dash (`-') or absent, pkg_sign reads from the stan-
     dard input.

     Package signing uses a feature of the gzip format, namely that one can
     set a flag EXTRA_FIELD in the gzip header and store extra data between
     the gzip header and the compressed file proper.  The OpenBSD signing
     scheme uses eight bytes markers such `SIGPGP' + length or `CKSHA1' +
     length for its signatures (those markers are conveniently eight bytes


     The pkg_sign and pkg_check utilities return with an exit code >0 if any-
     thing went wrong for any file.  For pkg_check, this usually indicates
     that the package is not signed, or that the signature is forged.

     File %s is already signed	There is a signature embedded within the gzip
     file already.  The pkg_sign utility currently does not handle multiple

     File %s is not a signed gzip file	This is an unsigned package.

     File %s is not a gzip file  The program couldn't find a proper gzip

     File %s contains an unknown extension  The extended area of the gzip file
     has been used for an unknown purpose.

     `seamless' signature mode, without compression of the main file, and just
     retrieving the signature.

     The checking scheme is little less convoluted, namely we rebuild the file
     that pgp expects on the fly.

     Paths to pgp and the checksum file are hard-coded to avoid tampering and
     hinder flexibility.


     file.sign		 Temporary file built by pkg_sign from file.
     /usr/local/bin/pgp  Default path to pgp(1).
     /var/db/pkgs/SHA1	 Recorded checksums.
     /etc/ssl/pkg.key	 Default package signing key.
     /etc/ssl/pkg.crt	 Default package verification certificate(s).


     gzip(1), pgp(1), pkg_add(1), sha1(1)


     A pkg_sign utility was created by Marc Espie for the OpenBSD Project.
     X.509 signatures and FreeBSD support added by Wes Peters

FreeBSD 5.4		      September 24, 1999		   FreeBSD 5.4


Man(1) output converted with man2html , sed , awk