1sign(8) System Manager's Manual sign(8)
2
3
4
6 sign - sign files or rpms
7
8
10 sign [-c|-d|-r|-a] [-u user] [-h hash] [file]
11 sign -k|-p [-u user] [-h hash]
12 sign -g type expire name email
13 sign -x expire pubkey
14 sign -C pubkey
15 sign -t
16
17
19 sign adds a cryptographic signature to a file. It can add a clearsign
20 signature (-c option), create a detached signature (-d option), or add
21 a signature block to a rpm package (-r option). If no mode is speci‐
22 fied, sign does a rpm sign if the file name ends in ".rpm", otherwise
23 it does a clearsign. If no file name is specified, sign reads from
24 stdin and writes to stdout.
25
26 One can specify a specific user or hash method with the -u and -h
27 option. Currently sign understands sha1 and sha256 hashes.
28
29 sign does not create signatures by itself, it needs a running signing
30 daemon (called signd) to do the work. The host and port information is
31 read from the /etc/sign.conf file.
32
33 The -k option makes sign print the keyid instead of signing a file, the
34 -p option makes it print the public key.
35
36 New keys can be created by using the -g option. In that case, a file
37 name to store the private key needs to be provided with the -P option.
38 This private key can be used for signing by also using the -P option
39 with the other modes. The pubkey of the generated key is printed to
40 stdout.
41
42 In case a SSL certification is also needed (e.g. for linux kernel mod‐
43 ules), the key can be converted to a certificate by using the -C
44 option.
45
46 The expire time of existing keys can be extended with the -x option.
47
48
50 In some cases it it useful to specify the signature time. This can be
51 done with the -T option.
52
53 The -S option specifies a checksum file, it makes sign append a line
54 containing the checksum of the signed rpms. This can be used to speed
55 up repository metadata generation.
56
57
58 -t Ping signd. If ping was successful, return exit code 0.
59
60 -v Verbose mode
61
62 -T <unixtime>
63 Explicit sign time. If RPM mode used (-r) also accepts string
64 "buildtime"
65
66
67
68 Signature modes
69
70 Requires private key (-P) or user (-u) with key in the signd root
71 keyring.
72
73 -c <file>
74 Create clearsign
75
76 -r <file>
77 Sign RPM package
78
79 -a <file>
80 Sign AppImage container
81
82 -S <path to checksumfile>
83 Usable only with -r option: writes checksums into the file
84
85
86 -d <file>
87 Create detached sign
88
89 -D <file>
90 Create RAW detached sign
91
92 -C <path to pubkey>
93 Create SSL certificate
94
95 -O <path to pubkey>
96 Create RAW SSL certificate
97
98
99 Key generation
100
101 -g [-P <privkey>] <type> <expire> <name> <email>
102 Generate new key-pair. Where:
103 type: defined as {dsa,rsa}@{1024,2048}
104 expire: integer, days before expire
105 name: real name
106 email: email
107 Write pubkey and privke to stdout. If -P option used,
108 privkey will be written there and only pubkey goes to stdout.
109
110
111 -x <expire> <pubkey>
112 Extend key. Requires private key (-P).
113
114
115 Query signd for key information / Common options
116
117 -k Print the keyid of signd key-pair (root key or defined by -u)
118
119 -p Print pubkey of signd key-pair (root key or defined by -u)
120
121 -u Username, signd should already know about that user
122
123 -h Hash: either sha1 or sha256
124
125
126
128 sign needs to bind to a reserved port, it thus works only for user root
129 or needs to be installed suid-root. If the latter is the case, sign
130 grants the users specified in the "allowuser" lines of the configura‐
131 tion the right to sign files.
132
133 sign and signd are supposed to run in isolated networks only.
134
135
137 sign returns 0 if everything worked, otherwise it returns 1 and prints
138 an error message to stderr.
139
140
142 signd(8), sign.conf(5)
143
144
145
146 Apr 2007 sign(8)