sign.8

.\" man page for sign
.TH sign 8 "Apr 2007"
.SH NAME
sign \- sign files or rpms

.SH SYNOPSIS
.B sign
.RB [ -c | -d | -r | -a ]
.RB [ -u
.IR user ]
.RB [ -h
.IR hash ]
.RI [ file ]
.br
.B sign
.BR -k | -p
.RB [ -u
.IR user ]
.RB [ -h
.IR hash ]
.br
.B sign
.BR -g
.I type
.I expire
.I name 
.I email
.br
.B sign
.BR -x
.I expire
.I pubkey
.br
.B sign
.BR -C
.I pubkey
.br
.B sign
.B -t

.SH DESCRIPTION
sign adds a cryptographic signature to a file. It can add a clearsign signature
(-c option), create a detached signature (-d option), or add a signature block
to a rpm package (-r option). If no mode is specified, sign does a rpm sign
if the file name ends in ".rpm", otherwise it does a clearsign. If no
file name is specified, sign reads from stdin and writes to stdout.

One can specify a specific user or hash method with the -u and -h option.
Currently sign understands sha1, sha256, and sha512 hashes.

sign does not create signatures by itself, it needs a running signing
daemon (called signd) to do the work. The host and port information is read
from the /etc/sign.conf file.

The -k option makes sign print the keyid instead of signing a file, the
-p option makes it print the public key.

New keys can be created by using the -g option. In that case, a file name
to store the private key needs to be provided with the -P option. This
private key can be used for signing by also using the -P option with the
other modes. The pubkey of the generated key is printed to stdout.

In case a X509 certificate
is needed (e.g. for linux kernel modules), the key can be converted to
a (self-signed) certificate by using the -C option.

The expire time of existing keys can be extended with the -x option.


.SH SIGNING MODES
.TP
.B \-c
Clearsign
.TP
.B \-r
Sign RPM package
.TP
.B \-d
Create a detached gpg signature
.TP
.B \-D
Create a unarmored detached gpg signature
.TP
.B \-O
Create a raw X509 signature. Enforces RSA unless the -A option is used.
.TP
.B \-a
Sign AppImage container
.TP
.B \-\-appx
Sign a windows appx container
.TP
.B \-\-pesign
Sign a PE/COFF file
.TP
.B \-\-kosign
Sign a linux kernel object
.TP
.B \-\-cmssign
Create a detached pkcs7/CMS signature


.SH COMMON OPTIONS
In some cases it it useful to specify the signature time. This can be done
with the -T option.

The -S option specifies a checksum file, it makes sign append a line containing
the checksum of the signed rpms. This can be used to speed up repository
metadata generation.

.TP
.B \-v
Verbose mode
.TP
.BI "\-u " username
Specify the key to use. The user must be in the keyring used by signd.
.TP
.BI "\-h " hash
Either sha1, sha256, or sha512. The default is sha1, because some old distributions,
e.g., RHEL 7, cannot handle sha256. On modern systems you should use sha256.
.TP
.BI "\-T " unixtime
Explicit sign time. If RPM mode (\-r) is used also accepts the string "buildtime".
.TP
.BI "\-P " keyfile
Private key file. This file must contain the encrypted privatekey generated
with the \-g option.
.TP
.BI "\-S " checksumfile
Usable only with \-r option: appends checksums into the file.
.TP
.B \-4
Create a pgp v4 signature instead of v3
.TP
.BI "\-A " pubkeyalgo
Enforce that the specified algorithm (rsa, dsa, ecdsa, eddsa) is used for signing
.TP
.BI "\-\-cert " certfile
Speficy a x509 certificate to use. A certificate is needed by some of the
signing modes, like appx signing or kernel object signing.
.TP
.B \-\-cms-nocerts
Do not include certificates in the pkcs7/cms signature
.TP
.B \-\-cms-keyid
Identify the certificate with the keyid instead of the issuer/serial
.TP
.B \-\-bulk-cpio
The input is a cpio archive in newc format. Each file in the archive is
signed. All the signatures are packed into a new cpio archive which filenames
consisting of the original files plus a ".sig" suffix. This mode is
currently only supported for raw X509 signature creation (-O).


.SH KEY GENERATION
.TP
.BR "\-g " "[\-P \fIprivkey\fP] " "\fItype\fP \fIexpire\fP \fIname\fP \fIemail\fP"
Generate new key-pair. Where:
.br
  type: one of {dsa,rsa}@{1024,2048,4096} ed25519 nistp256 nistp384
  expire: integer, days before expire
  name: real name
  email: email
.br
Write pubkey and the encrypted private key to stdout.
If the \-P option isused, the private key will be
written to the specified file and only the pubkey goes
to stdout.

.TP
.BI "\-x " expire " \fIpubkey\fP"
Extend key. Requires a private key to be specified with the \-P option.
.TP
.BI "\-C " pubkey
Convert a gpg pubkey to a self-signed X509 certificate


.SH OTHER MODES
.TP
.B \-t
Ping signd. If ping was successful, return exit code 0.
.TP
.BR \-k
Print the keyid of the key used for signing (root key or defined by \-u)
.TP
.BR \-p
Print the pubkey of of the key used for signing (root key or defined by \-u)


.SH SECURITY
Unless the allow-unprivileged-ports option has been set to true for signd,
sign needs to bind to a reserved port, in which case it works only for user
root or needs to be installed suid-root. If the latter is the case, sign
grants the users specified in the "allowuser" lines of the configuration
the right to sign files.

sign and signd are supposed to run in isolated networks only.

.SH EXIT STATUS
sign returns 0 if everything worked, otherwise it returns 1 and
prints an error message to stderr.

.SH SEE ALSO
.BR signd (8),
.BR sign.conf (5)