NAME¶

ostree-sign - Sign a commit

SYNOPSIS¶

ostree sign [OPTIONS...] {COMMIT} {KEY-ID...}

DESCRIPTION¶

Add a new signature to a commit. Note that currently, this will append a new signature even if the commit is already signed with a given key.

For `ed25519` and `spki`, there are several "well-known" system places for trusted and revoked public keys as listed below.

Files:

•/etc/ostree/trusted.SIGN-TYPE

•/etc/ostree/revoked.SIGN-TYPE

•/usr/share/ostree/trusted.SIGN-TYPE

•/usr/share/ostree/revoked.SIGN-TYPE

Directories containing files with keys:

•/etc/ostree/trusted.SIGN-TYPE.d

•/etc/ostree/revoked.SIGN-TYPE.d

•/usr/share/ostree/trusted.SIGN-TYPE.d

•/usr/share/ostree/revoked.SIGN-TYPE.d

The format of those files depends on the signature mechanism; for `ed25519`, keys are stored in the base64 encoding per line, while for `spki` they are stored in the PEM "PUBLIC KEY" encoding.

OPTIONS¶

KEY-ID

for ed25519 and spki:

base64-encoded secret (for signing) or public key (for verifying).

for dummy:

ASCII-string used as secret key and public key.

--verify

Verify signatures

-s, --sign-type

Use particular signature mechanism. Currently available ed25519, spki, and dummy signature types. The default is ed25519.

--keys-file

Read key(s) from file filename. Valid for ed25519 and spki signature types. This file must contain base64-encoded secret key(s) (for signing) or public key(s) (for verifying) per line.

--keys-dir

Redefine the system path, where to search files and subdirectories with well-known and revoked keys.

OSTree

Source file:	ostree-sign.1.en.gz (from ostree 2025.2-1)
Source last updated:	2025-04-01T15:17:30Z
Converted to HTML:	2025-04-01T20:57:02Z