Go to main content

man pages section 1: User Commands

Exit Print View

Updated: Thursday, March 14, 2019
 
 

pkgsign(1)

Name

pkgsign - Image Packaging System signing utility

Synopsis

/usr/bin/pkgsign [-a hash_algorithm]
    [-c path_to_signing_certificate]
    [-i path_to_intermediate_cert] ...
    [-k path_to_private_key] [-n] -s path_or_uri

    [--help] [--no-index] [--no-catalog]
    (fmri|pattern) ...

Description

pkgsign updates the manifest for the given FMRIs in place in the repository by adding a signature action using the provided key and certificates. The modified package retains the original timestamp.

Options

The following options are supported:

–-help

Display a usage message.

–a hash_algorithm

Use the signature algorithm hash_algorithm instead of the default. The default signature algorithm is rsa-sha256. Supported signature algorithms are rsa-sha256, rsa-sha384 , rsa-sha512, sha256, sha384 , and sha512. A signature algorithm that only specifies a hash algorithm causes the signature value to be the hash of the manifest of the package. A signature algorithm that specifies rsa and a hash algorithm causes the signature value to be the hash of the manifest signed with the private key provided (see the –c and –k options).

–c path_to_signing_certificate

Add the certificate path_to_signing_certificate as the certificate to use when verifying the value of the signature in the action. The –c option can only be used with the –k option.

–i path_to_intermediate_cert

Add the certificate path_to_intermediate_cert as a certificate to use when validating the certificate path_to_signing_certificate given as an argument to –c. Multiple certificates can be provided by specifying –i multiple times.

–k path_to_private_key

Use the private key stored in path_to_private_key to sign the manifest. The –k option can only be used with the – c option. If –k is not set, then the signature value is the hash of the manifest.

–n

Perform a trial run that does not change the repository in any way.

–s path_or_uri

Sign packages in the repository at path_or_uri.

–-no-index

Do not update the repository search indexes after the signed manifest has been republished.

–-no-catalog

Do not update the repository catalog after the signed manifest has been republished.

Examples

Example 1 Sign Using the Hash Value of the Manifest

Sign a package published to http://localhost:10000 using the hash value of the manifest. This is often useful for testing.

$ pkgsign -s http://localhost:10000 -a sha256 \
example_pkg@1.0,5.11-0:20100626T030108Z
Example 2 Sign Using a Key and Certificate

Sign a package published into the file repository in /foo/bar using rsa-sha384 to hash and sign the manifest. The signature key is in /key/usr2.key, its associated certificate is in /key/usr2.cert , and a certificate needed to validate the certificate is in /icerts/usr1.cert .

$ pkgsign -s file:///foo/bar/ -a rsa-sha384 \
-k /key/usr2.key -c /key/usr2.cert -i /icerts/usr1.cert \
example_pkg@1.0,5.11-0:20100626T031341Z

Exit Status

The following exit values are returned:

0

Command succeeded.

1

An error occurred.

2

Invalid command line options were specified.

3

Multiple operations were requested, but only some of them succeeded.

99

An unanticipated exception occurred.

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
package/pkg
Interface Stability
Uncommitted

See Also

pkg(1), pkgrecv(1), pkgsend(1), pkgrepo(1), pkg(7)

https://github.com/oracle/solaris-ips