man pages section 1: User Commands

Exit Print View

Updated: July 2014



pkgsign - Image Packaging System signing utility


/usr/bin/pkgsign [-a hash_algorithm]
    [-c path_to_signing_certificate]
    [-i path_to_intermediate_cert] ...
    [-k path_to_private_key] [-n] -s path_or_uri

    [--help] [--no-index] [--no-catalog]
    (fmri|pattern) ...


pkgsign updates the manifest for the given FMRIs in place in the repository by adding a signature action using the provided key and certificates. The modified package retains the original timestamp.


The following options are supported:


Display a usage message.

–a hash_algorithm

Use the signature algorithm hash_algorithm instead of the default. The default signature algorithm is rsa-sha256. Supported signature algorithms are rsa-sha256, rsa-sha384 , rsa-sha512, sha256, sha384 , and sha512. A signature algorithm that only specifies a hash algorithm causes the signature value to be the hash of the manifest of the package. A signature algorithm that specifies rsa and a hash algorithm causes the signature value to be the hash of the manifest signed with the private key provided (see the –c and –k options).

–c path_to_signing_certificate

Add the certificate path_to_signing_certificate as the certificate to use when verifying the value of the signature in the action. The –c option can only be used with the –k option.

–i path_to_intermediate_cert

Add the certificate path_to_intermediate_cert as a certificate to use when validating the certificate path_to_signing_certificate given as an argument to –c. Multiple certificates can be provided by specifying –i multiple times.

–k path_to_private_key

Use the private key stored in path_to_private_key to sign the manifest. The –k option can only be used with the – c option. If –k is not set, then the signature value is the hash of the manifest.


Perform a trial run that does not change the repository in any way.

–s path_or_uri

Sign packages in the repository at path_or_uri.


Do not update the repository search indexes after the signed manifest has been republished.


Do not update the repository catalog after the signed manifest has been republished.


Example 1 Sign Using the Hash Value of the Manifest

Sign a package published to http://localhost:10000 using the hash value of the manifest. This is often useful for testing.

$ pkgsign -s http://localhost:10000 -a sha256 \
Example 2 Sign Using a Key and Certificate

Sign a package published into the file repository in /foo/bar using rsa-sha384 to hash and sign the manifest. The signature key is in /key/usr2.key, its associated certificate is in /key/usr2.cert , and a certificate needed to validate the certificate is in /icerts/usr1.cert .

$ pkgsign -s file:///foo/bar/ -a rsa-sha384 \
-k /key/usr2.key -c /key/usr2.cert -i /icerts/usr1.cert \

Exit Status

The following exit values are returned:


Command succeeded.


An error occurred.


Invalid command line options were specified.


Multiple operations were requested, but only some of them succeeded.


An unanticipated exception occurred.


See attributes(5) for descriptions of the following attributes:

Interface Stability

See also

pkg(1), pkgrecv(1), pkgsend(1), pkgrepo(1), pkg(5)