sign - Man Page

sign [-c|-d|-r|-a] [-u user] [-h hash] [file]
sign -k|-p [-u user] [-h hash]
sign -g type expire name email
sign -x expire pubkey
sign -C pubkey
sign -t

sign adds a cryptographic signature to a file. It can add a clearsign signature (-c option), create a detached signature (-d option), or add a signature block to a rpm package (-r option). If no mode is specified, sign does a rpm sign if the file name ends in ".rpm", otherwise it does a clearsign. If no file name is specified, sign reads from stdin and writes to stdout.

One can specify a specific user or hash method with the -u and -h option. Currently sign understands sha1 and sha256 hashes.

sign does not create signatures by itself, it needs a running signing daemon (called signd) to do the work. The host and port information is read from the /etc/sign.conf file.

The -k option makes sign print the keyid instead of signing a file, the -p option makes it print the public key.

New keys can be created by using the -g option. In that case, a file name to store the private key needs to be provided with the -P option. This private key can be used for signing by also using the -P option with the other modes. The pubkey of the generated key is printed to stdout.

In case a SSL certification is also needed (e.g. for linux kernel modules), the key can be converted to a certificate by using the -C option.

The expire time of existing keys can be extended with the -x option.

In some cases it it useful to specify the signature time. This can be done with the -T option.

The -S option specifies a checksum file, it makes sign append a line containing the checksum of the signed rpms. This can be used to speed up repository metadata generation.

-t

Ping signd. If ping was successful, return exit code 0.

-v

Verbose mode

-T

<unixtime>
Explicit sign time. If RPM mode used (-r) also accepts string "buildtime"

Signature modes

Requires private key (-P) or user (-u) with key in the signd root keyring.

-c

<file>
Create clearsign

-r

<file>
Sign RPM package

-a

<file>
Sign AppImage container

-S

<path to checksumfile>
Usable only with -r option: writes checksums into the file

-d

<file>
Create detached sign

-D

<file>
Create RAW detached sign

-C

<path to pubkey>
Create SSL certificate

-O

<path to pubkey>
Create RAW SSL certificate

Key generation

-g

[-P <privkey>] <type> <expire> <name> <email>
Generate new key-pair. Where:
type: defined as {dsa,rsa}@{1024,2048}
expire: integer, days before expire
name: real name
email: email
Write pubkey and privke to stdout. If -P option used,
privkey will be written there and only pubkey goes to stdout.

-x

<expire> <pubkey>
Extend key. Requires private key (-P).

Query signd for key information / Common options

-k

Print the keyid of signd key-pair (root key or defined by -u)

-p

Print pubkey of signd key-pair (root key or defined by -u)

-u

Username, signd should already know about that user

-h

Hash: either sha1 or sha256

Unless the allow-unprivileged-ports option has been set to true for signd, sign needs to bind to a reserved port, in which case it works only for user root or needs to be installed suid-root. If the latter is the case, sign grants the users specified in the "allowuser" lines of the configuration the right to sign files.

sign and signd are supposed to run in isolated networks only.

sign returns 0 if everything worked, otherwise it returns 1 and prints an error message to stderr.

signd(8), sign.conf(5)

sign.conf(5), signd(8).