ostree-sign(1)

Sign a commit

Section 1 ostree bookworm source

Description

OSTREE SIGN

NAME

ostree-sign - Sign a commit

SYNOPSIS

ostree sign [OPTIONS...] {COMMIT} {KEY-ID...}

DESCRIPTION

Add a new signature to a commit. Note that currently, this will append a new signature even if the commit is already signed with a given key.

There are several "well-known" system places for ‘ed25519‘ trusted and revoked public keys -- expected single base64-encoded key per line.

Files:

• /etc/ostree/trusted.ed25519

• /etc/ostree/revoked.ed25519

• /usr/share/ostree/trusted.ed25519

• /usr/share/ostree/revoked.ed25519

Directories containing files with keys:

• /etc/ostree/trusted.ed25519.d

• /etc/ostree/revoked.ed25519.d

• /usr/share/ostree/trusted.ed25519.d

• /usr/share/ostree/rvokeded.ed25519.d

OPTIONS

KEY-ID

for ed25519:

base64-encoded secret (for signing) or public key (for verifying).

for dummy:

ASCII-string used as secret key and public key.

--verify

Verify signatures

-s, --sign-type

Use particular signature mechanism. Currently available ed25519 and dummy signature types. The default is ed25519.

--keys-file

Read key(s) from file filename. Valid for ed25519 signature type. For ed25519 this file must contain base64-encoded secret key(s) (for signing) or public key(s) (for verifying) per line.

--keys-dir

Redefine the system path, where to search files and subdirectories with well-known and revoked keys.