FreeBSD 7.0 manual page repository

FreeBSD is a free computer operating system based on BSD UNIX originally. Many IT companies, like DeployIS is using it to provide an up-to-date, stable operating system.

pkg_sign, pkg_check - handle package signatures

 

NAME

      pkg_sign, pkg_check - handle package signatures
 

SYNOPSIS

      pkg_sign [-sc] [-t type] [-u id] [-k key] [file ...]
      pkg_check [-sc] [-u id] [-k cert] [file ...]
 

DESCRIPTION

      The pkg_sign utility embeds a cryptographic signature within a gzip file
      file.  type can be pgp (default), sha1, or x509.  If type is pgp, it will
      always prompt you for a passphrase to unlock your private pgp key, even
      if you do not use a passphrase (which is a bad idea, anyway).  If type is
      sha1, you must supply an id, which will be recorded as the name of the
      package, and printed as the SHA1 checksum.
 
      The pkg_check utility checks that cryptographic signature.  It currently
      disregards type and checks only the topmost signature.  For sha1, it
      checksums the file and verifies that the result matches the list of
      checksums recorded in /var/db/pkg/SHA1.
 
      Options -s and -c can be used to force package signing or signature
      checking mode.
 
      For pgp, the id to use to sign the package or verify the signature can be
      forced with -u.
 
      For x509, the signing key or verification certificate may be specified
      with the -k option.  If not specified, packages are signed or verified
      with the default keys and certificates documented below.
 
      If file is a single dash (‘-’) or absent, pkg_sign reads from the stan‐
      dard input.
 
      Package signing uses a feature of the gzip format, namely that one can
      set a flag EXTRA_FIELD in the gzip header and store extra data between
      the gzip header and the compressed file proper.  The OpenBSD signing
      scheme uses eight bytes markers such ‘SIGPGP’ + length or ‘CKSHA1’ +
      length for its signatures (those markers are conveniently eight bytes
      long).
 

FILES

      file.sign           Temporary file built by pkg_sign from file.
      /usr/local/bin/pgp  Default path to pgp(1).
      /var/db/pkgs/SHA1   Recorded checksums.
      /etc/ssl/pkg.key    Default package signing key.
      /etc/ssl/pkg.crt    Default package verification certificate(s).
      The pkg_sign and pkg_check utilities return with an exit code >0 if any‐
      thing went wrong for any file.  For pkg_check, this usually indicates
      that the package is not signed, or that the signature is forged.
 

DIAGNOSTICS

      File %s is already signed  There is a signature embedded within the gzip
      file already.  The pkg_sign utility currently does not handle multiple
      signatures.
 
      File %s is not a signed gzip file  This is an unsigned package.
 
      File %s is not a gzip file  The program could not find a proper gzip
      header.
 
      File %s contains an unknown extension  The extended area of the gzip file
      has been used for an unknown purpose.
 
      File %s uses old signatures, no longer supported  The gzip file uses a
      very early version of package signing that was substantially slower.
      gzip(1), pgp(1), pkg_add(1), sha1(1)
 

AUTHORS

      A pkg_sign utility was created by Marc Espie for the OpenBSD Project.
      X.509 signatures and FreeBSD support added by Wes Peters
      〈wes@softweyr.com〉.
 

BUGS

      The pgp(1) utility is an ill-designed program, which is hard to interface
      with.  For instance, the ‘separate signing scheme’ it pretends to offer
      is useless, as it cannot be used with pipes, so that pgp_sign needs to
      kludge it by knowing the length of a pgp signature, and invoking pgp in
      ‘seamless’ signature mode, without compression of the main file, and just
      retrieving the signature.
 
      The checking scheme is little less convoluted, namely we rebuild the file
      that pgp expects on the fly.
 
      Paths to pgp and the checksum file are hard-coded to avoid tampering and
      hinder flexibility.
 

Sections

Based on BSD UNIX
FreeBSD is an advanced operating system for x86 compatible (including Pentium and Athlon), amd64 compatible (including Opteron, Athlon64, and EM64T), UltraSPARC, IA-64, PC-98 and ARM architectures. It is derived from BSD, the version of UNIX developed at the University of California, Berkeley. It is developed and maintained by a large team of individuals. Additional platforms are in various stages of development.