pkgsign

- Image Packaging System signing utility

Synopsis

/usr/bin/pkgsign [-a hash_algorithm]
    [-c path_to_signing_certificate]
    [-i path_to_intermediate_cert] ...
    [-k path_to_private_key] [-n] -s path_or_uri
    [--help] [--no-index] [--no-catalog]
    (fmri|pattern) ...

Description

pkgsign updates the manifest for the given FMRIs in place in the repository by adding a signature action using the provided key and certificates. The modified package retains the original timestamp.

Options

The following options are supported:

--help

Display a usage message.

-a hash_algorithm

Use the signature algorithm hash_algorithm instead of the default. The default signature algorithm is rsa-sha256. Supported signature algorithms are rsa-sha256, rsa-sha384, rsa-sha512, sha256, sha384, and sha512. A signature algorithm that only specifies a hash algorithm causes the signature value to be the hash of the manifest of the package. A signature algorithm that specifies rsa and a hash algorithm causes the signature value to be the hash of the manifest signed with the private key provided (see the -c and -k options).

-c path_to_signing_certificate

Add the certificate path_to_signing_certificate as the certificate to use when verifying the value of the signature in the action. The -c option can only be used with the -k option.

-i path_to_intermediate_cert

Add the certificate path_to_intermediate_cert as a certificate to use when validating the certificate path_to_signing_certificate given as an argument to -c. Multiple certificates can be provided by specifying -i multiple times.

-k path_to_private_key

Use the private key stored in path_to_private_key to sign the manifest. The -k option can only be used with the -c option. If -k is not set, then the signature value is the hash of the manifest.

-n

Perform a trial run that does not change the repository in any way.

-s path_or_uri

Sign packages in the repository at path_or_uri.

--no-index

Do not update the repository search indexes after the signed manifest has been republished.

--no-catalog

Do not update the repository catalog after the signed manifest has been republished.

Examples

Example 1 Sign Using the Hash Value of the Manifest

Sign a package published to http://localhost:10000 using the hash value of the manifest. This is often useful for testing.

$ pkgsign -s http://localhost:10000 -a sha256 \
example_pkg@1.0,5.11-0:20100626T030108Z

Example 2 Sign Using a Key and Certificate

Sign a package published into the file repository in /foo/bar using rsa-sha384 to hash and sign the manifest. The signature key is in /key/usr2.key, its associated certificate is in /key/usr2.cert, and a certificate needed to validate the certificate is in /icerts/usr1.cert.

$ pkgsign -s file:///foo/bar/ -a rsa-sha384 \
-k /key/usr2.key -c /key/usr2.cert -i /icerts/usr1.cert \
example_pkg@1.0,5.11-0:20100626T031341Z

Exit Status

The following exit values are returned:

0

Command succeeded.

1

An error occurred.

2

Invalid command line options were specified.

3

Multiple operations were requested, but only some of them succeeded.

99

An unanticipated exception occurred.

Attributes

See attributes(5) for descriptions of the following attributes:

See Also

pkg(1), pkgrecv(1), pkgsend(1), pkgrepo(1), pkg(5)

http://hub.opensolaris.org/bin/view/Project+pkg/