|Skip Navigation Links|
|Exit Print View|
|Image Packaging System Man Pages Oracle Solaris 11 Information Library|
- Image Packaging System signing utility
/usr/bin/pkgsign [-a hash_algorithm] [-c path_to_signing_certificate] [-i path_to_intermediate_cert] ... [-k path_to_private_key] [-n] -s path_or_uri [--help] [--no-index] [--no-catalog] (fmri|pattern) ...
pkgsign updates the manifest for the given FMRIs in place in the repository by adding a signature action using the provided key and certificates. The modified package retains the original timestamp.
The following options are supported:
With -a, use the signature algorithm hash_algorithm instead of the default. The default signature algorithm is rsa-sha256. Supported signature algorithms are rsa-sha256, rsa-sha384, rsa-sha512, sha256, sha384, and sha512. A signature algorithm that only specifies a hash algorithm causes the signature value to be the hash of the manifest of the package. A signature algorithm that specifies rsa and a hash algorithm causes the signature value to be the hash of the manifest signed with the private key provided (see the -c and -k options).
With -c, add the certificate path_to_signing_certificate as the certificate to use when verifying the value of the signature in the action. The -c option can only be used with the -k option.
With -i, add the certificate path_to_intermediate_cert as a certificate to use when validating the certificate path_to_signing_certificate given as an argument to -c. Multiple certificates can be provided by specifying -i multiple times.
With -k, use the private key stored in path_to_private_key to sign the manifest. The -k option can only be used with the -c option. If -k is not set, then the signature value is the hash of the manifest.
With -n, perform a trial run that does not change the repository in any way.
With -s, sign packages in the repository at path_or_uri.
With --help, display a usage message.
With --no-index, do not update the repository search indexes after the signed manifest has been republished.
With --no-catalog, do not update the repository catalog after the signed manifest has been republished.
Example 1 Sign Using the Hash Value of the Manifest
Sign a package published to http://localhost:10000 using the hash value of the manifest. This is often useful for testing.
$ pkgsign -s http://localhost:10000 -a sha256 \ email@example.com,5.11-0:20100626T030108Z
Example 2 Sign Using a Key and Certificate
Sign a package published into the file repository in /foo/bar using rsa-sha384 to hash and sign the manifest. The signature key is in /key/usr2.key, its associated certificate is in /key/usr2.cert, and a certificate needed to validate the certificate is in /icerts/usr1.cert.
$ pkgsign -s file:///foo/bar/ -a rsa-sha384 \ -k /key/usr2.key -c /key/usr2.cert -i /icerts/usr1.cert \ firstname.lastname@example.org,5.11-0:20100626T031341Z
The following exit values are returned:
An error occurred.
Invalid command line options were specified.
Multiple operations were requested, but only some of them succeeded.
An unanticipated exception occurred.
See attributes(5) for descriptions of the following attributes: