| OSTREE SIGN(1) | ostree sign | OSTREE SIGN(1) |
NAME
ostree-sign - Sign a commit
SYNOPSIS
ostree sign [OPTIONS...] {COMMIT} {KEY-ID...}
DESCRIPTION
Add a new signature to a commit. Note that currently, this will append a new signature even if the commit is already signed with a given key.
For `ed25519` and `spki`, there are several "well-known" system places for trusted and revoked public keys as listed below.
Files:
•/etc/ostree/trusted.SIGN-TYPE
•/etc/ostree/revoked.SIGN-TYPE
•/usr/share/ostree/trusted.SIGN-TYPE
•/usr/share/ostree/revoked.SIGN-TYPE
Directories containing files with keys:
•/etc/ostree/trusted.SIGN-TYPE.d
•/etc/ostree/revoked.SIGN-TYPE.d
•/usr/share/ostree/trusted.SIGN-TYPE.d
•/usr/share/ostree/revoked.SIGN-TYPE.d
The format of those files depends on the signature mechanism; for `ed25519`, keys are stored in the base64 encoding per line, while for `spki` they are stored in the PEM "PUBLIC KEY" encoding.
OPTIONS
KEY-ID
for ed25519 and spki:
base64-encoded secret (for signing) or public key (for
verifying).
for dummy:
ASCII-string used as secret key and public key.
--verify
Verify signatures
-s, --sign-type
Use particular signature mechanism. Currently available
ed25519, spki, and dummy signature types. The default is ed25519.
--keys-file
Read key(s) from file filename. Valid for ed25519 and
spki signature types. This file must contain base64-encoded secret key(s) (for
signing) or public key(s) (for verifying) per line.
--keys-dir
Redefine the system path, where to search files and
subdirectories with well-known and revoked keys.
| OSTree |