pkgsign - Image Packaging System signing utility
/usr/bin/pkgsign [-a hash_algorithm] [-c path_to_signing_certificate] [-i path_to_intermediate_cert] ... [-k path_to_private_key] [-n] -s path_or_uri [--help] [--no-index] [--no-catalog] (fmri|pattern) ...
pkgsign updates the manifest for the given FMRIs in place in the repository by adding a signature action using the provided key and certificates. The modified package retains the original timestamp.
The following options are supported:
Display a usage message.
Use the signature algorithm hash_algorithm instead of the default. The default signature algorithm is rsa-sha256. Supported signature algorithms are rsa-sha256, rsa-sha384 , rsa-sha512, sha256, sha384 , and sha512. A signature algorithm that only specifies a hash algorithm causes the signature value to be the hash of the manifest of the package. A signature algorithm that specifies rsa and a hash algorithm causes the signature value to be the hash of the manifest signed with the private key provided (see the –c and –k options).
Add the certificate path_to_signing_certificate as the certificate to use when verifying the value of the signature in the action. The –c option can only be used with the –k option.
Add the certificate path_to_intermediate_cert as a certificate to use when validating the certificate path_to_signing_certificate given as an argument to –c. Multiple certificates can be provided by specifying –i multiple times.
Use the private key stored in path_to_private_key to sign the manifest. The –k option can only be used with the – c option. If –k is not set, then the signature value is the hash of the manifest.
Perform a trial run that does not change the repository in any way.
Sign packages in the repository at path_or_uri.
Do not update the repository search indexes after the signed manifest has been republished.
Do not update the repository catalog after the signed manifest has been republished.
Sign a package published to http://localhost:10000 using the hash value of the manifest. This is often useful for testing.
$ pkgsign -s http://localhost:10000 -a sha256 \ email@example.com,5.11-0:20100626T030108ZExample 2 Sign Using a Key and Certificate
Sign a package published into the file repository in /foo/bar using rsa-sha384 to hash and sign the manifest. The signature key is in /key/usr2.key, its associated certificate is in /key/usr2.cert , and a certificate needed to validate the certificate is in /icerts/usr1.cert .
$ pkgsign -s file:///foo/bar/ -a rsa-sha384 \ -k /key/usr2.key -c /key/usr2.cert -i /icerts/usr1.cert \ firstname.lastname@example.org,5.11-0:20100626T031341Z
The following exit values are returned:
An error occurred.
Invalid command line options were specified.
Multiple operations were requested, but only some of them succeeded.
An unanticipated exception occurred.
See attributes(7) for descriptions of the following attributes: