User Commands pkgsign(1)
NAME
pkgsign - image packaging system signing utility
SYNOPSIS
/usr/bin/pkgsign [-a hash_algorithm] [-c path_to_signing_certificate]
[-i path_to_intermediate_cert] ... [-k path_to_private_key]
[-s src_uri] [--help] [--no-index] [--no-catalog] [--sign-all |
fmri_with_timestamp ...]
DESCRIPTION
pkgsign updates the manifest for the given fmri(s) in place in the
repository by adding a signature action using the provided key and certificates. The package modified will retain the original timestamp. OPTIONS The following options are supported:With -a, use the signature algorithm provided instead of the default,
which is rsa-sha256. The following are the currently supported signature
algorithms: rsa-sha256, rsa-sha384, rsa-sha512, sha256, sha384, sha512.
A signature algorithm which only specifies a hash algorithm will cause the signature value to be the hash of the manifest of the package. A signature algorithm which specifies rsa and a hash algorithm will cause the signature value to be the hash of the manifest signed with the private key provided(see the -c and -k options).
With -c, add the certificate provided as the certificate to use when
verifying the value of the signature in the action. It can only be used if-k is also used.
With -i, add the certificate provided as a certificate to use when
validating the certificate given as an argument to -c. Multiple
certificates may be provided by using -i multiple times.
With -k, use the private key stored in the given path to sign the
manifest. It can only be used if -c is also used. If -k is not set,
then the signature value will be the hash of the manifest.With -s, sign packages in the repository at the given URI.
With --help, show the usage information for the command.
With --no-index, tell the repository not to update the search indices
after the signed manifest has been republished.With --no-catalog, tell the repository not to update the catalog after
the signed manifest has been republished.With --sign-all, sign all the packages in the repository.
EXAMPLES
Example 1: Sign a package published to http://localhost:10000 using the hash value of the manifest. This is often useful for testing.$ pkgsign -s http://localhost:10000 -a sha256 \
example_pkg@1.0,5.11-0:20100626T030108Z
Example 2: Sign a package published into the file repository in /foo/barusing rsa-sha384 to hash and sign the manifest, the key in /key/usr2.key,
its associated certificate in /key/usr2.cert, and a certificate needed to validate the certificate in /icerts/usr1.cert.$ pkgsign -s file:///foo/bar/ -a rsa-sha384 -k /key/usr2.key \
-c /key/usr2.cert -i /icerts/usr1.cert \
example_pkg@1.0,5.11-0:20100626T031341Z
EXIT STATUS The following exit values are returned: 0 Command succeeded. 1 An error occurred. 2 Invalid command line options were specified. 3 Multiple operations were requested, but only some of them succeeded.ATTRIBUTES
See attributes(5) for descriptions of the following attributes:____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | pkg:/package/pkg ||_____________________________|_____________________________|
| Interface Stability | None / Under Development ||_____________________________|_____________________________|
SEE ALSO
pkg(1), pkgrecv(1), pkgsend(1), pkgrepo(1M), pkg(5) NOTESThe image packaging system is an under-development feature.
Command names, invocation, formats, and operations are all subject to change. Development is hosted in the OpenSolaris community at:http://hub.opensolaris.org/bin/view/Project+pkg/