sign.conf - Man Page

sign and signd configuration file

Synopsis

/etc/sign.conf

Description

This file holds the configuration both for the sign program and the signd daemon. Each line in the file has the format "key: value [value...]". Empty lines or lines starting with "#" are ignored.

The following keys are recognized:

server: hostname

Forward all unknown requests to the specified server.

port: port

Use the specified port number instead of the default port "5167". Also sets the proxyport.

proxyport: port

Listen on the specified port number for incoming requests.

user: user

Set a default user to use for signing.

hash: hash

Set a default hash to use for signing. The default hash is SHA1.

allow: ip subnet hostname...

Allow only connections from the specified ip addresses, subnets expressed in CIDR notation, and/or hostnames. Note that hostnames are resolved using reverse DNS lookups, so there must be reverse entries in the DNS server, and it should be secured against DNS poisoning attacks. Must be present.

gpg: path_to_gpg

Select the gpg program to use instead of "/usr/bin/gpg".

phrases: phrases_directory

Set the directory containing gpg phrases for every user. A phrase file is fed into gpg with the "--passphrase-fd=0" option.

map: [hash:]from_signuser to_signuser

Modify the signuser. This can be used to map hashes and users to unambiguous key ids.

allowuser: username|uid

Grant the user the right to sign. the sign binary must be installed suid-root for this to work. Multiple users can be specified by using multiple allowuser lines in the configuration.

allow-unprivileged-ports: true|false

Allow signd to accept connections from source ports > 1024. Defaults to false.

logfile: filename

Log requests to the specified filename instead of stdout.

gnupghome: dirname

Configures the directory for gpg to use by setting the GNUPGHOME environment variable.

use_agent: true|false

Make signd directly talk to the gpg-agent for signing instead of calling gpg. This is the default if the --files-are-digest option is not available in gpg.

keycache: dirname

Cache the result of finding the signing key for a username. This is only done if the gpg-agent is used for signing. The cache is automatically invalidated if there is a change in the gpg keyring.

Files

/etc/sign.conf

See Also

sign(8), signd(8)

Referenced By

sign(8), signd(8).

Apr 2007