pkg-key.8
1 .\" 2 .\" FreeBSD pkg - a next generation package for the installation and maintenance 3 .\" of non-core utilities. 4 .\" 5 .\" Redistribution and use in source and binary forms, with or without 6 .\" modification, are permitted provided that the following conditions 7 .\" are met: 8 .\" 1. Redistributions of source code must retain the above copyright 9 .\" notice, this list of conditions and the following disclaimer. 10 .\" 2. Redistributions in binary form must reproduce the above copyright 11 .\" notice, this list of conditions and the following disclaimer in the 12 .\" documentation and/or other materials provided with the distribution. 13 .\" 14 .\" 15 .\" @(#)pkg.8 16 .\" 17 .Dd March 6, 2024 18 .Dt PKG-KEY 8 19 .Os 20 .Sh NAME 21 .Nm "pkg key" 22 .Nd signing key operations 23 .Sh SYNOPSIS 24 .Nm 25 .Op Fl -create | Fl -public | Fl -sign 26 .Op Fl t Ar type 27 .Ar keyfile 28 .Sh DESCRIPTION 29 .Nm 30 is used to create or extract signing keys for use with 31 .Xr pkg-repo 8 . 32 Cryptographically signing your package repository catalogue is strongly 33 recommended. 34 .Pp 35 If none of the 36 .Fl -create , 37 .Fl -public , 38 or 39 .Fl -sign 40 operations are specified, 41 .Nm 42 displays information about the 43 .Ar keyfile 44 on 45 .Em stdout . 46 .Pp 47 See 48 .Xr pkg-repo 49 for some practical examples of using 50 .Nm . 51 .Sh OPTIONS 52 The following options are supported by 53 .Nm : 54 .Bl -tag -width all 55 .It Fl -create 56 Create the named key. 57 Note that any file at 58 .Ar keyfile 59 will be overwritten. 60 .Nm 61 will 62 .Xr chmod 2 63 the 64 .Ar keyfile 65 to 66 .Li 0400 67 upon successful completion. 68 The corresponding public key will be written to 69 .Em stdout , 70 note the caveats of this described with the 71 .Fl -public 72 option. 73 The 74 .Fl t 75 option should be used when generating keys to be explicit about the type of 76 key requested. 77 .Pp 78 Note that the 79 .Sy ecdsa 80 and 81 .Sy eddsa 82 keys generated by 83 .Nm 84 are not compatible with those generated by OpenSSL, but 85 .Xr pkg 8 86 can read 87 .Sy ecdsa 88 keys generated by OpenSSL. 89 .It Fl -public 90 Write the public key corresponding to 91 .Ar keyfile 92 out to 93 .Em stdout . 94 Note that some signers may output keys in a binary format, so it is recommended 95 to redirect 96 .Em stdout 97 to a file. 98 .It Fl -sign 99 Signs the data ingested via 100 .Em stdin 101 with the named 102 .Ar keyfile , 103 and writes the signature data to 104 .Em stdout . 105 As with 106 .Fl -public , 107 note that the signature may be a binary format and it is recommended to redirect 108 .Em stdout 109 to a file. 110 .It Fl t Ar type 111 Specifies the 112 .Ar type 113 of signer to use for the given key. 114 .Nm 115 will not try to guess the correct signer that goes with a key in any case, so 116 it must be specified for every operation. 117 The 118 .Sy rsa 119 signer is assumed if 120 .Fl t 121 is not specified. 122 The following signers are currently supported: 123 .Bl -tag -width all 124 .It Sy rsa 125 Backend using RSA with keys created either by OpenSSL or by 126 .Nm 127 .Fl -create . 128 .It Sy ecc 129 An alias for the 130 .Sy eddsa 131 signer. 132 .It Sy ecdsa 133 Backend using ECDSA with keys created either by OpenSSL or by 134 .Nm 135 .Fl -create . 136 See 137 .Sx Elliptic Curve Cryptography 138 for more discussion. 139 .It Sy eddsa 140 Backend using EdDSA with keys created by 141 .Nm 142 .Fl -create . 143 See 144 .Sx Elliptic Curve Cryptography 145 for more discussion. 146 .El 147 .El 148 .Ss Elliptic Curve Cryptography 149 Elliptic Curve Cryptography, ECC, is supported by 150 .Xr pkg 8 , 151 with limited compatibility with OpenSSL. 152 Signatures are output in a format that OpenSSL can handle, subject to the 153 constraints about curve choice outlined in the rest of this section. 154 .Pp 155 The 156 .Sy ecdsa 157 signer is expected to be interoperable with OpenSSL, but curve choice is more 158 limited than what OpenSSL provides. 159 In general, the curves provided must be supported both by OpenSSL and by the 160 .Lb libecc 161 used by 162 .Xr pkg 8 . 163 The criteria for curve selection is that they must be 256-bit or higher and 164 accepted by both implementations. 165 The following common curves are currently supported: 166 .Bl -bullet 167 .It 168 .Sy secp256k1 169 .It 170 .Sy secp384r1 171 .It 172 .Sy secp521r1 173 .It 174 .Sy brainpoolP256r1 175 .It 176 .Sy brainpoolP256t1 177 .It 178 .Sy brainpoolP320r1 179 .It 180 .Sy brainpoolP320t1 181 .It 182 .Sy brainpoolP384r1 183 .It 184 .Sy brainpoolP384t1 185 .It 186 .Sy brainpoolP512r1 187 .It 188 .Sy brainpoolP512t1 189 .El 190 .Pp 191 The 192 .Sy eddsa 193 signer is not compatible with OpenSSL due to limited curve selection provided 194 by 195 .Lb libecc 196 by default. 197 The only curve supported by 198 .Xr pkg 8 199 for EdDSA is 200 .Sy WEI25519 . 201 .Sh FILES 202 See 203 .Xr pkg.conf 5 . 204 .Sh SEE ALSO 205 .Xr pkg_create 3 , 206 .Xr pkg_printf 3 , 207 .Xr pkg_repo_create 3 , 208 .Xr pkg_repos 3 , 209 .Xr pkg-keywords 5 , 210 .Xr pkg-lua-script 5 , 211 .Xr pkg-repository 5 , 212 .Xr pkg-script 5 , 213 .Xr pkg-triggers 5 , 214 .Xr pkg.conf 5 , 215 .Xr pkg 8 , 216 .Xr pkg-add 8 , 217 .Xr pkg-alias 8 , 218 .Xr pkg-annotate 8 , 219 .Xr pkg-audit 8 , 220 .Xr pkg-autoremove 8 , 221 .Xr pkg-check 8 , 222 .Xr pkg-clean 8 , 223 .Xr pkg-config 8 , 224 .Xr pkg-create 8 , 225 .Xr pkg-delete 8 , 226 .Xr pkg-fetch 8 , 227 .Xr pkg-help 8 , 228 .Xr pkg-info 8 , 229 .Xr pkg-install 8 , 230 .Xr pkg-lock 8 , 231 .Xr pkg-plugins 8 , 232 .Xr pkg-query 8 , 233 .Xr pkg-register 8 , 234 .Xr pkg-repo 8 , 235 .Xr pkg-repositories 8 , 236 .Xr pkg-rquery 8 , 237 .Xr pkg-search 8 , 238 .Xr pkg-set 8 , 239 .Xr pkg-shell 8 , 240 .Xr pkg-shlib 8 , 241 .Xr pkg-ssh 8 , 242 .Xr pkg-stats 8 , 243 .Xr pkg-triggers 8 , 244 .Xr pkg-unregister 8 , 245 .Xr pkg-update 8 , 246 .Xr pkg-updating 8 , 247 .Xr pkg-upgrade 8 , 248 .Xr pkg-version 8 , 249 .Xr pkg-which 8