Sign Package

In DSM 5.1 and onward, the Package Center has a built-in code sign mechanism to ensure the package's publisher integrity. The toolkit based on DSM 5.0 and onward has the CodeSign.php script to sign the package with GnuPG keys. If you do not have a GPG key, you will need to generate one. Please refer to Prepare GPG Key for more information.

If you want PkgCreate.py to sign the package automatically, you can use the PkgCreate.py without the --no-sign option. For example, the following command indicates PkgCreate.py to build and install your project without a signature.

PkgCreate.py -i ${project}

In addition, if you want to sign the package on your own, you can use the following command to sign your package manually.

chroot /toolkit/build_env/ds.${platform}-${version}
php /pkgscripts/CodeSign.php [option] --sign=package-path

Options:
--keydir=keyrings directory (default is /root/.gnupg)
--keyfpr=key's fingerprint (default is "". Under this circumstances, we will using the first key in the key directory to sign the package)

Examples:
php /pkgscripts/CodeSign.php --sign=phpBB-3.0.12-0031.spk
php /pkgscripts/CodeSign.php --keydir=/root/.gpg --keyfpr=C1BF63CD --sign=phpBB-3.0.12-0031.spk