1sign(8)                     System Manager's Manual                    sign(8)
2
3
4

NAME

6       sign - sign files or rpms
7
8

SYNOPSIS

10       sign [-c|-d|-r|-a] [-u user] [-h hash] [file]
11       sign -k|-p [-u user] [-h hash]
12       sign -g type expire name email
13       sign -x expire pubkey
14       sign -C pubkey
15       sign -t
16
17

DESCRIPTION

19       sign  adds  a cryptographic signature to a file. It can add a clearsign
20       signature (-c option), create a detached signature (-d option), or  add
21       a  signature  block  to a rpm package (-r option). If no mode is speci‐
22       fied, sign does a rpm sign if the file name ends in  ".rpm",  otherwise
23       it  does  a  clearsign.  If  no file name is specified, sign reads from
24       stdin and writes to stdout.
25
26       One can specify a specific user or hash  method  with  the  -u  and  -h
27       option.  Currently sign understands sha1 and sha256 hashes.
28
29       sign  does  not create signatures by itself, it needs a running signing
30       daemon (called signd) to do the work. The host and port information  is
31       read from the /etc/sign.conf file.
32
33       The -k option makes sign print the keyid instead of signing a file, the
34       -p option makes it print the public key.
35
36       New keys can be created by using the -g option. In that  case,  a  file
37       name  to store the private key needs to be provided with the -P option.
38       This private key can be used for signing by also using  the  -P  option
39       with  the  other  modes.  The pubkey of the generated key is printed to
40       stdout.
41
42       In case a SSL certification is also needed (e.g. for linux kernel  mod‐
43       ules),  the  key  can  be  converted  to  a certificate by using the -C
44       option.
45
46       The expire time of existing keys can be extended with the -x option.
47
48

OTHER OPTIONS

50       In some cases it it useful to specify the signature time. This  can  be
51       done with the -T option.
52
53       The  -S  option  specifies a checksum file, it makes sign append a line
54       containing the checksum of the signed rpms. This can be used  to  speed
55       up repository metadata generation.
56
57
58       -t     Ping signd. If ping was successful, return exit code 0.
59
60       -v     Verbose mode
61
62       -T     <unixtime>
63               Explicit  sign  time. If RPM mode used (-r) also accepts string
64              "buildtime"
65
66
67
68              Signature modes
69
70        Requires private key (-P) or user (-u) with  key  in  the  signd  root
71       keyring.
72
73       -c     <file>
74               Create clearsign
75
76       -r     <file>
77               Sign RPM package
78
79       -a     <file>
80               Sign AppImage container
81
82       -S     <path to checksumfile>
83               Usable only with -r option: writes checksums into the file
84
85
86       -d     <file>
87               Create detached sign
88
89       -D     <file>
90               Create RAW detached sign
91
92       -C     <path to pubkey>
93               Create SSL certificate
94
95       -O     <path to pubkey>
96               Create RAW SSL certificate
97
98
99              Key generation
100
101       -g     [-P <privkey>] <type> <expire> <name> <email>
102               Generate new key-pair. Where:
103               type: defined as {dsa,rsa}@{1024,2048}
104               expire: integer, days before expire
105               name: real name
106               email: email
107               Write pubkey and privke to stdout. If -P option used,
108               privkey will be written there and only pubkey goes to stdout.
109
110
111       -x     <expire> <pubkey>
112               Extend key. Requires private key (-P).
113
114
115              Query signd for key information / Common options
116
117       -k     Print the keyid of signd key-pair (root key or defined by -u)
118
119       -p     Print pubkey of signd key-pair (root key or defined by -u)
120
121       -u     Username, signd should already know about that user
122
123       -h     Hash: either sha1 or sha256
124
125
126

SECURITY

128       Unless  the  allow-unprivileged-ports  option  has been set to true for
129       signd, sign needs to bind to a reserved port, in which  case  it  works
130       only for user root or needs to be installed suid-root. If the latter is
131       the case, sign grants the users specified in the "allowuser"  lines  of
132       the configuration the right to sign files.
133
134       sign and signd are supposed to run in isolated networks only.
135
136

EXIT STATUS

138       sign  returns 0 if everything worked, otherwise it returns 1 and prints
139       an error message to stderr.
140
141

SEE ALSO

143       signd(8), sign.conf(5)
144
145
146
147                                   Apr 2007                            sign(8)
Impressum