PKG_SIGN(1) MidnightBSD General Commands Manual PKG_SIGN(1)

NAME

pkg_sign, pkg_check — handle package signatures

SYNOPSIS

pkg_sign [−sc] [−t type] [−u id] [−k key] [file ...]
pkg_check
[−sc] [−u id] [−k cert] [file ...]

DESCRIPTION

The pkg_sign utility embeds a cryptographic signature within a gzip file file. type can be pgp (default), sha1, or x509. If type is pgp, it will always prompt you for a passphrase to unlock your private pgp key, even if you do not use a passphrase (which is a bad idea, anyway). If type is sha1, you must supply an id, which will be recorded as the name of the package, and printed as the SHA1 checksum.

The pkg_check utility checks that cryptographic signature. It currently disregards type and checks only the topmost signature. For sha1, it checksums the file and verifies that the result matches the list of checksums recorded in /var/db/pkg/SHA1.

Options −s and −c can be used to force package signing or signature checking mode.

For pgp, the id to use to sign the package or verify the signature can be forced with −u.

For x509, the signing key or verification certificate may be specified with the −k option. If not specified, packages are signed or verified with the default keys and certificates documented below.

If file is a single dash (‘’) or absent, pkg_sign reads from the standard input.

Package signing uses a feature of the gzip format, namely that one can set a flag EXTRA_FIELD in the gzip header and store extra data between the gzip header and the compressed file proper. The OpenBSD signing scheme uses eight bytes markers such ‘SIGPGP’ + length or ‘CKSHA1’ + length for its signatures (those markers are conveniently eight bytes long).

FILES
file.sign

Temporary file built by pkg_sign from file.

/usr/local/bin/pgp

Default path to pgp(1).

/var/db/pkgs/SHA1

Recorded checksums.

/etc/ssl/pkg.key

Default package signing key.

/etc/ssl/pkg.crt

Default package verification certificate(s).

EXIT STATUS

The pkg_sign and pkg_check utilities return with an exit code >0 if anything went wrong for any file. For pkg_check, this usually indicates that the package is not signed, or that the signature is forged.

DIAGNOSTICS

File %s is already signed  There is a signature embedded within the gzip file already. The pkg_sign utility currently does not handle multiple signatures.

File %s is not a signed gzip file  This is an unsigned package.

File %s is not a gzip file  The program could not find a proper gzip header.

File %s contains an unknown extension  The extended area of the gzip file has been used for an unknown purpose.

File %s uses old signatures, no longer supported  The gzip file uses a very early version of package signing that was substantially slower.

SEE ALSO

gzip(1), pgp(1), pkg_add(1), sha1(1)

AUTHORS

A pkg_sign utility was created by Marc Espie for the OpenBSD Project. X.509 signatures and FreeBSD support added by Wes Peters 〈wes@softweyr.com〉.

BUGS

The pgp(1) utility is an ill-designed program, which is hard to interface with. For instance, the ‘separate signing scheme’ it pretends to offer is useless, as it cannot be used with pipes, so that pgp_sign needs to kludge it by knowing the length of a pgp signature, and invoking pgp in ‘seamless’ signature mode, without compression of the main file, and just retrieving the signature.

The checking scheme is little less convoluted, namely we rebuild the file that pgp expects on the fly.

Paths to pgp and the checksum file are hard-coded to avoid tampering and hinder flexibility.

MidnightBSD 0.3 September 24, 1999 MidnightBSD 0.3