sign - Man Page

sign [-c|-d|-r|-a] [-u user] [-h hash] [file]
sign -k|-p [-u user] [-h hash]
sign -g type expire name email
sign -x expire pubkey
sign -C pubkey
sign -t

sign adds a cryptographic signature to a file. It can add a clearsign signature (-c option), create a detached signature (-d option), or add a signature block to a rpm package (-r option). If no mode is specified, sign does a rpm sign if the file name ends in ".rpm", otherwise it does a clearsign. If no file name is specified, sign reads from stdin and writes to stdout.

One can specify a specific user or hash method with the -u and -h option. Currently sign understands sha1, sha256, and sha512 hashes.

sign does not create signatures by itself, it needs a running signing daemon (called signd) to do the work. The host and port information is read from the /etc/sign.conf file.

The -k option makes sign print the keyid instead of signing a file, the -p option makes it print the public key.

New keys can be created by using the -g option. In that case, a file name to store the private key needs to be provided with the -P option. This private key can be used for signing by also using the -P option with the other modes. The pubkey of the generated key is printed to stdout.

In case a X509 certificate is needed (e.g. for linux kernel modules), the key can be converted to a (self-signed) certificate by using the -C option.

The expire time of existing keys can be extended with the -x option.

-c

Clearsign

-r

Sign RPM package

-d

Create a detached gpg signature

-D

Create a unarmored detached gpg signature

-O

Create a raw X509 signature. Enforces RSA unless the -A option is used.

-a

Sign AppImage container

--appx

Sign a windows appx container

--pesign

Sign a PE/COFF file

--kosign

Sign a linux kernel object

--cmssign

Create a detached pkcs7/CMS signature

In some cases it it useful to specify the signature time. This can be done with the -T option.

The -S option specifies a checksum file, it makes sign append a line containing the checksum of the signed rpms. This can be used to speed up repository metadata generation.

-v

Verbose mode

-u username

Specify the key to use. The user must be in the keyring used by signd.

-h hash

Either sha1, sha256, or sha512. The default is sha1, because some old distributions, e.g., RHEL 7, cannot handle sha256. On modern systems you should use sha256.

-T unixtime

Explicit sign time. If RPM mode (-r) is used also accepts the string "buildtime".

-P keyfile

Private key file. This file must contain the encrypted privatekey generated with the -g option.

-S checksumfile

Usable only with -r option: appends checksums into the file.

-4

Create a pgp v4 signature instead of v3

-A pubkeyalgo

Enforce that the specified algorithm (rsa, dsa, ecdsa, eddsa) is used for signing

--cert certfile

Speficy a x509 certificate to use. A certificate is needed by some of the signing modes, like appx signing or kernel object signing.

--cms-nocerts

Do not include certificates in the pkcs7/cms signature

--cms-keyid

Identify the certificate with the keyid instead of the issuer/serial

--bulk-cpio

The input is a cpio archive in newc format. Each file in the archive is signed. All the signatures are packed into a new cpio archive which filenames consisting of the original files plus a ".sig" suffix. This mode is currently only supported for raw X509 signature creation (-O).

-g [-P privkey] type expire name email

Generate new key-pair. Where:
 type: one of {dsa,rsa}@{1024,2048,4096} ed25519 nistp256 nistp384
 expire: integer, days before expire
 name: real name
 email: email
Write pubkey and the encrypted private key to stdout. If the -P option isused, the private key will be written to the specified file and only the pubkey goes to stdout.

-x expire pubkey

Extend key. Requires a private key to be specified with the -P option.

-C pubkey

Convert a gpg pubkey to a self-signed X509 certificate

-t

Ping signd. If ping was successful, return exit code 0.

-k

Print the keyid of the key used for signing (root key or defined by -u)

-p

Print the pubkey of of the key used for signing (root key or defined by -u)

Unless the allow-unprivileged-ports option has been set to true for signd, sign needs to bind to a reserved port, in which case it works only for user root or needs to be installed suid-root. If the latter is the case, sign grants the users specified in the "allowuser" lines of the configuration the right to sign files.

sign and signd are supposed to run in isolated networks only.

sign returns 0 if everything worked, otherwise it returns 1 and prints an error message to stderr.

signd(8), sign.conf(5)

sign.conf(5), signd(8).