PKGSIGN(1) User Commands PKGSIGN(1)

pkgsignImage Packaging System signing utility

pkgsign [-a hash_algorithm] [-c path_to_signing_certificate] [-i path_to_intermediate_cert]... [-k path_to_private_key] [-n] -s path_or_uri [--help] [--no-index] [--no-catalog] [--dkey ssl_key --cert ssl_cert]
pkg_fmri_pattern...

pkgsign updates the manifest for the given FMRIs in place in the repository by adding a signature action using the provided key and certificates. The modified package retains the original timestamp.

The following options are supported:

Display a usage message.
hash_algorithm
Use the signature algorithm hash_algorithm instead of the default. The default signature algorithm is rsa-sha256. Supported signature algorithms are rsa-sha256, rsa-sha384, , , , and . A signature algorithm that only specifies a hash algorithm causes the signature value to be the hash of the manifest of the package. A signature algorithm that specifies and a hash algorithm causes the signature value to be the hash of the manifest signed with the private key provided (see the -c and -k options).
path_to_signing_certificate
Add the certificate path_to_signing_certificate as the certificate to use when verifying the value of the signature in the action. The -c option can only be used with the -k option.
path_to_intermediate_cert
Add the certificate path_to_intermediate_cert as a certificate to use when validating the certificate path_to_signing_certificate given as an argument to -c. Multiple certificates can be provided by specifying -i multiple times.
path_to_private_key
Use the private key stored in path_to_private_key to sign the manifest. The -k option can only be used with the -c option. If -k is not set, then the signature value is the hash of the manifest.
Perform a trial run that does not change the repository in any way.
path_or_uri
Sign packages in the repository at path_or_uri.
Do not update the repository search indexes after the signed manifest has been republished.
Do not update the repository catalog after the signed manifest has been republished.
ssl_key
Specify a client SSL key file to use for communication with a remote HTTPS repository.
ssl_cert
Specify a client SSL certificate file to use for communication with a remote HTTPS repository.

The following operand is supported:

pkg_fmri_pattern
Specifies packages to sign. The pkg_fmri_pattern operand can include the ‘?’ and ‘*’ characters as glob(3C)-style wildcards to match one or more packages.

The following exit values are returned:

0
Command succeeded.
1
An error occurred.
2
Invalid command line options were specified.
3
Multiple operations were requested, but only some of them succeeded.
99
An unanticipated exception occurred.

Example 1 Sign Using the Hash Value of the Manifest

Sign a package published to http://localhost:10000 using the hash value of the manifest. This is often useful for testing.

pkgsign -s http://localhost:10000 -a sha256 \
    example_pkg@1.0,5.11-0:20100626T030108Z

Example 2 Sign Using a Key and Certificate

Sign a package published into the file repository in /foo/bar using rsa-sha384 to hash and sign the manifest. The signature key is in /key/usr2.key, its associated certificate is in /key/usr2.cert, and a certificate needed to validate the certificate is in /icerts/usr1.cert.

pkgsign -s file:///foo/bar/ -a rsa-sha384 \
    -k /key/usr2.key -c /key/usr2.cert -i /icerts/usr1.cert \
    example_pkg@1.0,5.11-0:20100626T031341Z

The command line interface of pkgsign is . The output of pkgsign is and may change at any time.

pkg(1), pkgrecv(1), pkgrepo(1), pkgsend(1), glob(3C), pkg(7)

February 17, 2022 OmniOS