A manifest can have multiple independent signatures. Signatures can be added or removed without invalidating other signatures that are present. This feature facilitates production handoffs, with signatures used along the path to indicate completion along the way. Subsequent steps can optionally remove previous signatures at any time. See the pkgsign(1) man page for descriptions of options of the pkgsign command and examples of use.
Take the following two steps to sign a package. The second step can be performed as many times as needed, adding multiple signatures.
Publish the package unsigned to a repository as shown in Publish the Package.
Use the pkgsign command to append a signature action to the manifest in the repository, as shown in Sign the Package. Except for adding a signature action, the package is unaltered, including its time stamp. Signing the package should be the last step of the package development before the package is tested.
The pkgsign command enables someone other than the package publisher to add a signature action to the package without invalidating the original publisher’s signature. Republishing a package creates a new time stamp and invalidates the original signature. With the pkgsign command, the QA department, for example, could sign all packages that are installed internally to indicate that they have been approved for use without republishing the packages.
Signature actions with variants are ignored. Therefore, performing a pkgmerge on a pair of manifests invalidates any signatures that were previously applied.