pkg_sign, pkg_check -- handle package signatures
pkg_sign [-sc] [-t type] [-u id] [-k key] [file ...]
pkg_check [-sc] [-u id] [-k cert] [file ...]
The pkg_sign utility embeds a cryptographic signature within a gzip file
file. type can be pgp (default), sha1, or x509. If type is pgp, it will
always prompt you for a passphrase to unlock your private pgp key, even
if you don't use a passphrase (which is a bad idea, anyway). If type is
sha1, you must supply an id, which will be recorded as the name of the
package, and printed as the SHA1 checksum.
The pkg_check utility checks that cryptographic signature. It currently
disregards type and checks only the topmost signature. For sha1, it
checksums the file and verifies that the result matches the list of
checksums recorded in /var/db/pkg/SHA1.
Options -s and -c can be used to force package signing or signature
For pgp, the id to use to sign the package or verify the signature can be
forced with -u.
For x509, the signing key or verification certificate may be specified
with the -k option. If not specified, packages are signed or verified
with the default keys and certificates documented below.
If file is a single dash (`-') or absent, pkg_sign reads from the standard
Package signing uses a feature of the gzip format, namely that one can
set a flag EXTRA_FIELD in the gzip header and store extra data between
the gzip header and the compressed file proper. The OpenBSD signing
scheme uses eight bytes markers such `SIGPGP' + length or `CKSHA1' +
length for its signatures (those markers are conveniently eight bytes
The pkg_sign and pkg_check utilities return with an exit code >0 if anything
went wrong for any file. For pkg_check, this usually indicates
that the package is not signed, or that the signature is forged.
File %s is already signed There is a signature embedded within the gzip
file already. The pkg_sign utility currently does not handle multiple
File %s is not a signed gzip file This is an unsigned package.
File %s is not a gzip file The program couldn't find a proper gzip
File %s contains an unknown extension The extended area of the gzip file
has been used for an unknown purpose.
File %s uses old signatures, no longer supported The gzip file uses a
very early version of package signing that was substantially slower.
The pgp(1) utility is an ill-designed program, which is hard to interface
with. For instance, the `separate signing scheme' it pretends to offer
is useless, as it can't be used with pipes, so that pgp_sign needs to
kludge it by knowing the length of a pgp signature, and invoking pgp in
`seamless' signature mode, without compression of the main file, and just
retrieving the signature.
The checking scheme is little less convoluted, namely we rebuild the file
that pgp expects on the fly.
Paths to pgp and the checksum file are hard-coded to avoid tampering and
file.sign Temporary file built by pkg_sign from file.
/usr/local/bin/pgp Default path to pgp(1).
/var/db/pkgs/SHA1 Recorded checksums.
/etc/ssl/pkg.key Default package signing key.
/etc/ssl/pkg.crt Default package verification certificate(s).
gzip(1), pgp(1), pkg_add(1), sha1(1)
A pkg_sign utility was created by Marc Espie for the OpenBSD Project.
X.509 signatures and FreeBSD support added by Wes Peters
FreeBSD 5.2.1 September 24, 1999 FreeBSD 5.2.1 [ Back ]