Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/pkg
 Path: blob/main/docs/pkg-key.8
2065 views
.\"
.\" FreeBSD pkg - a next generation package for the installation and maintenance
.\" of non-core utilities.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\"
.\"     @(#)pkg.8
.\"
.Dd March 6, 2024
.Dt PKG-KEY 8
.Os
.Sh NAME
.Nm "pkg key"
.Nd signing key operations
.Sh SYNOPSIS
.Nm
.Op Fl -create | Fl -public | Fl -sign
.Op Fl t Ar type
.Ar keyfile
.Sh DESCRIPTION
.Nm
is used to create or extract signing keys for use with
.Xr pkg-repo 8 .
Cryptographically signing your package repository catalog is strongly
recommended.
.Pp
One of the
.Fl -create ,
.Fl -public ,
or
.Fl -sign
operations must be specified.
Future work may write information about the
.Ar keyfile
out to
.Em stdout
when no key operation has been specified.
.Pp
See
.Xr pkg-repo
for some practical examples of using
.Nm .
.Sh OPTIONS
The following options are supported by
.Nm :
.Bl -tag -width all
.It Fl -create
Create the named key.
Note that any file at
.Ar keyfile
will be overwritten.
.Nm
will
.Xr chmod 2
the
.Ar keyfile
to
.Li 0400
upon successful completion.
The corresponding public key will be written to
.Em stdout ,
note the caveats of this described with the
.Fl -public
option.
The
.Fl t
option should be used when generating keys to be explicit about the type of
key requested.
.Pp
Note that the
.Sy ecdsa
and
.Sy eddsa
keys generated by
.Nm
are not compatible with those generated by OpenSSL, but
.Xr pkg 8
can read
.Sy ecdsa
keys generated by OpenSSL.
.It Fl -public
Write the public key corresponding to
.Ar keyfile
out to
.Em stdout .
Note that some signers may output keys in a binary format, so it is recommended
to redirect
.Em stdout
to a file.
.It Fl -sign
Signs the data ingested via
.Em stdin
with the named
.Ar keyfile ,
and writes the signature data to
.Em stdout .
As with
.Fl -public ,
note that the signature may be a binary format and it is recommended to redirect
.Em stdout
to a file.
.It Fl t Ar type
Specifies the
.Ar type
of signer to use for the given key.
.Nm
will not try to guess the correct signer that goes with a key in any case, so
it must be specified for every operation.
The
.Sy rsa
signer is assumed if
.Fl t
is not specified.
The following signers are currently supported:
.Bl -tag -width all
.It Sy rsa
Backend using RSA with keys created either by OpenSSL or by
.Nm
.Fl -create .
.It Sy ecc
An alias for the
.Sy eddsa
signer.
.It Sy ecdsa
Backend using ECDSA with keys created either by OpenSSL or by
.Nm
.Fl -create .
See
.Sx Elliptic Curve Cryptography
for more discussion.
.It Sy eddsa
Backend using EdDSA with keys created by
.Nm
.Fl -create .
See
.Sx Elliptic Curve Cryptography
for more discussion.
.El
.El
.Ss Elliptic Curve Cryptography
Elliptic Curve Cryptography, ECC, is supported by
.Xr pkg 8 ,
with limited compatibility with OpenSSL.
Signatures are output in a format that OpenSSL can handle, subject to the
constraints about curve choice outlined in the rest of this section.
.Pp
The
.Sy ecdsa
signer is expected to be interoperable with OpenSSL, but curve choice is more
limited than what OpenSSL provides.
In general, the curves provided must be supported both by OpenSSL and by the
.Lb libecc
used by
.Xr pkg 8 .
The criteria for curve selection is that they must be 256-bit or higher and
accepted by both implementations.
The following common curves are currently supported:
.Bl -bullet
.It
.Sy secp256k1
.It
.Sy secp384r1
.It
.Sy secp521r1
.It
.Sy brainpoolP256r1
.It
.Sy brainpoolP256t1
.It
.Sy brainpoolP320r1
.It
.Sy brainpoolP320t1
.It
.Sy brainpoolP384r1
.It
.Sy brainpoolP384t1
.It
.Sy brainpoolP512r1
.It
.Sy brainpoolP512t1
.El
.Pp
The
.Sy eddsa
signer is not compatible with OpenSSL due to limited curve selection provided
by
.Lb libecc
by default.
The only curve supported by
.Xr pkg 8
for EdDSA is
.Sy WEI25519 .
.Sh FILES
See
.Xr pkg.conf 5 .
.Sh SEE ALSO
.Xr pkg_create 3 ,
.Xr pkg_printf 3 ,
.Xr pkg_repo_create 3 ,
.Xr pkg_repos 3 ,
.Xr pkg-keywords 5 ,
.Xr pkg-lua-script 5 ,
.Xr pkg-repository 5 ,
.Xr pkg-script 5 ,
.Xr pkg-triggers 5 ,
.Xr pkg.conf 5 ,
.Xr pkg 8 ,
.Xr pkg-add 8 ,
.Xr pkg-alias 8 ,
.Xr pkg-annotate 8 ,
.Xr pkg-audit 8 ,
.Xr pkg-autoremove 8 ,
.Xr pkg-check 8 ,
.Xr pkg-clean 8 ,
.Xr pkg-config 8 ,
.Xr pkg-create 8 ,
.Xr pkg-delete 8 ,
.Xr pkg-fetch 8 ,
.Xr pkg-info 8 ,
.Xr pkg-install 8 ,
.Xr pkg-lock 8 ,
.Xr pkg-query 8 ,
.Xr pkg-register 8 ,
.Xr pkg-repo 8 ,
.Xr pkg-repositories 8 ,
.Xr pkg-rquery 8 ,
.Xr pkg-search 8 ,
.Xr pkg-set 8 ,
.Xr pkg-shell 8 ,
.Xr pkg-shlib 8 ,
.Xr pkg-ssh 8 ,
.Xr pkg-stats 8 ,
.Xr pkg-triggers 8 ,
.Xr pkg-update 8 ,
.Xr pkg-updating 8 ,
.Xr pkg-upgrade 8 ,
.Xr pkg-version 8 ,
.Xr pkg-which 8