1sign(8) System Manager's Manual sign(8)
2
6 sign - sign files or rpms
7
10 sign [-c|-d|-r|-a] [-u user] [-h hash] [file]
11 sign -k|-p [-u user] [-h hash]
12 sign -g type expire name email
13 sign -x expire pubkey
14 sign -C pubkey
15 sign -t
16
19 sign adds a cryptographic signature to a file. It can add a clearsign
20 signature (-c option), create a detached signature (-d option), or add
21 a signature block to a rpm package (-r option). If no mode is speci‐
22 fied, sign does a rpm sign if the file name ends in ".rpm", otherwise
23 it does a clearsign. If no file name is specified, sign reads from
24 stdin and writes to stdout.
25 One can specify a specific user or hash method with the -u and -h
27 option. Currently sign understands sha1 and sha256 hashes.
28 sign does not create signatures by itself, it needs a running signing
30 daemon (called signd) to do the work. The host and port information is
31 read from the /etc/sign.conf file.
32 The -k option makes sign print the keyid instead of signing a file, the
34 -p option makes it print the public key.
35 New keys can be created by using the -g option. In that case, a file
37 name to store the private key needs to be provided with the -P option.
38 This private key can be used for signing by also using the -P option
39 with the other modes. The pubkey of the generated key is printed to
40 stdout.
41 In case a SSL certification is also needed (e.g. for linux kernel mod‐
43 ules), the key can be converted to a certificate by using the -C
44 option.
45 The expire time of existing keys can be extended with the -x option.
47
50 In some cases it it useful to specify the signature time. This can be
51 done with the -T option.
52 The -S option specifies a checksum file, it makes sign append a line
54 containing the checksum of the signed rpms. This can be used to speed
55 up repository metadata generation.
56 -t Ping signd. If ping was successful, return exit code 0.
59 -v Verbose mode
61 -T <unixtime>
63 Explicit sign time. If RPM mode used (-r) also accepts string
64 "buildtime"
65 Signature modes
69 Requires private key (-P) or user (-u) with key in the signd root
71 keyring.
72 -c <file>
74 Create clearsign
75 -r <file>
77 Sign RPM package
78 -a <file>
80 Sign AppImage container
81 -S <path to checksumfile>
83 Usable only with -r option: writes checksums into the file
84 -d <file>
87 Create detached sign
88 -D <file>
90 Create RAW detached sign
91 -C <path to pubkey>
93 Create SSL certificate
94 -O <path to pubkey>
96 Create RAW SSL certificate
97 Key generation
100 -g [-P <privkey>] <type> <expire> <name> <email>
102 Generate new key-pair. Where:
103 type: defined as {dsa,rsa}@{1024,2048}
104 expire: integer, days before expire
105 name: real name
106 email: email
107 Write pubkey and privke to stdout. If -P option used,
108 privkey will be written there and only pubkey goes to stdout.
109 -x <expire> <pubkey>
112 Extend key. Requires private key (-P).
113 Query signd for key information / Common options
116 -k Print the keyid of signd key-pair (root key or defined by -u)
118 -p Print pubkey of signd key-pair (root key or defined by -u)
120 -u Username, signd should already know about that user
122 -h Hash: either sha1 or sha256
124
128 Unless the allow-unprivileged-ports option has been set to true for
129 signd, sign needs to bind to a reserved port, in which case it works
130 only for user root or needs to be installed suid-root. If the latter is
131 the case, sign grants the users specified in the "allowuser" lines of
132 the configuration the right to sign files.
133 sign and signd are supposed to run in isolated networks only.
135
138 sign returns 0 if everything worked, otherwise it returns 1 and prints
139 an error message to stderr.
140
143 signd(8), sign.conf(5)
144 Apr 2007 sign(8)