@@ -1,6 +1,5 @@
-*.[1-9]
*.a
*.exe
*.o
*.patch
*.so
@@ -68,11 +68,10 @@ ifneq ($(V),1)
QUIET_CC = @echo ' CC ' $@;
QUIET_CCLD = @echo ' CCLD ' $@;
QUIET_AR = @echo ' AR ' $@;
QUIET_LN = @echo ' LN ' $@;
QUIET_GEN = @echo ' GEN ' $@;
-QUIET_PANDOC = @echo ' PANDOC ' $@;
endif
USE_SHARED_LIB ?=
PREFIX ?= /usr/local
BINDIR ?= $(PREFIX)/bin
INCDIR ?= $(PREFIX)/include
@@ -203,15 +202,11 @@ EXTRA_TARGETS += $(TEST_PROGRAMS)
##############################################################################
#### Manual pages
-man/fsverity.1:man/fsverity.1.md
- $(QUIET_PANDOC) pandoc $+ -s -t man > $@
-
-MAN_PAGES := man/fsverity.1
-EXTRA_TARGETS += $(MAN_PAGES)
+MAN_PAGES := $(wildcard man/*.[1-9])
##############################################################################
# Support for downloading and building BoringSSL. The purpose of this is to
# allow testing builds of fsverity-utils that link to BoringSSL instead of
@@ -226,12 +221,11 @@ boringssl:
cmake -B boringssl/build boringssl
$(MAKE) -C boringssl/build $(MAKEFLAGS)
##############################################################################
-SPECIAL_TARGETS := all test_programs check install install-man uninstall \
- help clean
+SPECIAL_TARGETS := all test_programs check install uninstall help clean
FORCE:
.PHONY: $(SPECIAL_TARGETS) FORCE
@@ -270,14 +264,14 @@ install:all
-e "s|@LIBDIR@|$(LIBDIR)|" \
-e "s|@INCDIR@|$(INCDIR)|" \
lib/libfsverity.pc.in \
> $(DESTDIR)$(LIBDIR)/pkgconfig/libfsverity.pc
chmod 644 $(DESTDIR)$(LIBDIR)/pkgconfig/libfsverity.pc
-
-install-man:$(MAN_PAGES)
install -d $(DESTDIR)$(MANDIR)/man1
- install -m644 $+ $(DESTDIR)$(MANDIR)/man1/
+ for page in $(MAN_PAGES); do \
+ install -m644 $$page $(DESTDIR)$(MANDIR)/man1/; \
+ done
uninstall:
rm -f $(DESTDIR)$(BINDIR)/$(FSVERITY)
rm -f $(DESTDIR)$(LIBDIR)/libfsverity.a
rm -f $(DESTDIR)$(LIBDIR)/libfsverity.so.$(SOVERSION)
@@ -23,30 +23,26 @@ See `libfsverity.h` for the API of this library.
To build fsverity-utils, first install the needed build dependencies. For
example, on Debian-based systems, run:
```bash
sudo apt-get install libssl-dev
- sudo apt-get install pandoc # optional
```
OpenSSL must be version 1.0.0 or later. This is the only runtime dependency.
Then, to build and install fsverity-utils:
```bash
make
sudo make install
- sudo make install-man # optional
```
By default, the following targets are built and installed: the program
-`fsverity`, the static library `libfsverity.a`, and the shared library
-`libfsverity.so`. You can also run `make check` to build and run the
-tests, or `make help` to display all available build targets.
-
-`make install-man` installs the `fsverity.1` manual page. This step requires
-that `pandoc` be installed.
+`fsverity`, the static library `libfsverity.a`, the shared library
+`libfsverity.so`, and the manual page `fsverity.1`. You can also run
+`make check` to build and run the tests, or `make help` to display all
+available build targets.
By default, `fsverity` is statically linked to `libfsverity`. You can
use `make USE_SHARED_LIB=1` to use dynamic linking instead.
See the `Makefile` for other supported build and installation options.
new file mode 100644
@@ -0,0 +1,267 @@
+.\" SPDX-License-Identifier: MIT
+.\"
+.\" Copyright 2021 Google LLC
+.\"
+.\" Use of this source code is governed by an MIT-style license that can be
+.\" found in the LICENSE file or at https://opensource.org/licenses/MIT.
+.\"
+.TH "FSVERITY" "1" "February 2022" "fsverity-utils v1.5" "User Commands"
+.hy
+.
+.SH NAME
+.PP
+fsverity - userspace utility for fs-verity
+.
+.
+.SH SYNOPSIS
+.PP
+\f[B]fsverity digest\f[R] [\f[I]OPTION\f[R]\&...]
+\f[I]FILE\f[R]\&...
+.PD 0
+.P
+.PD
+\f[B]fsverity dump_metadata\f[R] [\f[I]OPTION\f[R]\&...]
+\f[I]TYPE\f[R] \f[I]FILE\f[R]
+.PD 0
+.P
+.PD
+\f[B]fsverity enable\f[R] [\f[I]OPTION\f[R]\&...]
+\f[I]FILE\f[R]
+.PD 0
+.P
+.PD
+\f[B]fsverity measure\f[R] \f[I]FILE\f[R]\&...
+.PD 0
+.P
+.PD
+\f[B]fsverity sign\f[R] [\f[I]OPTION\f[R]\&...]
+\f[I]FILE\f[R] \f[I]OUT_SIGFILE\f[R]
+.
+.
+.SH DESCRIPTION
+.PP
+\f[B]fsverity\f[R] is a userspace utility for fs-verity.
+fs-verity is a Linux kernel filesystem feature that does transparent on-demand
+verification of the contents of read-only files using Merkle trees.
+.PP
+\f[B]fsverity\f[R] can enable fs-verity on files, retrieve the digests of
+fs-verity files, and sign files for use with fs-verity (among other things).
+\f[B]fsverity\f[R]\[cq]s functionality is divided among various subcommands.
+.PP
+This manual page focuses on documenting all \f[B]fsverity\f[R] subcommands and
+options.
+For examples and more information about the fs-verity kernel feature, see the
+references at the end of this page.
+.
+.
+.SH OPTIONS
+.PP
+\f[B]fsverity\f[R] always accepts the following options:
+.TP
+\f[B]--help\f[R]
+Show the help, for either one subcommand or for all subcommands.
+.TP
+\f[B]--version\f[R]
+Show the version of fsverity-utils.
+.
+.
+.SH SUBCOMMANDS
+.
+.SS \f[B]fsverity digest\f[R] [\f[I]OPTION\f[R]\&...] \f[I]FILE\f[R]\&...
+.PP
+Compute the fs-verity digest of the given file(s).
+This is mainly intended to used in preparation for signing the digest.
+In some cases \f[B]fsverity sign\f[R] can be used instead to digest and sign the
+file in one step.
+.PP
+Options accepted by \f[B]fsverity digest\f[R]:
+.TP
+\f[B]--block-size\f[R]=\f[I]BLOCK_SIZE\f[R]
+The Merkle tree block size (in bytes) to use.
+This must be a power of 2 and at least twice the size of the hash values.
+.RS
+.PP
+Note that the Linux kernel implementations of fs-verity place further
+restrictions on the Merkle tree block size.
+Linux v6.2 and earlier require that the Merkle tree block size be equal to both
+the system page size and the filesystem block size.
+These values are often 4096.
+Linux v6.3 and later are more flexible; they require that the Merkle tree block
+size be a power of 2 that is greater than or equal to 1024 and less than or
+equal to the system page size and the filesystem block size.
+The default value of this option is 4096.
+.RE
+.TP
+\f[B]--compact\f[R]
+When printing the file digest, only print the actual digest hex string;
+don\[cq]t print the algorithm name and filename.
+.TP
+\f[B]--for-builtin-sig\f[R]
+Format the file digest in a way that is compatible with the Linux kernel\[cq]s
+fs-verity built-in signature verification support.
+This means formatting it as a \f[B]struct fsverity_formatted_digest\f[R].
+Use this option if you are using built-in signatures but are not using
+\f[B]fsverity sign\f[R] to do the signing.
+.TP
+\f[B]--hash-alg\f[R]=\f[I]HASH_ALG\f[R]
+The hash algorithm to use to build the Merkle tree.
+Valid options are sha256 and sha512.
+Default is sha256.
+.TP
+\f[B]--out-merkle-tree\f[R]=\f[I]FILE\f[R]
+Write the computed Merkle tree to the given file.
+The Merkle tree layout will be the same as that used by the Linux kernel\[cq]s
+\f[B]FS_IOC_READ_VERITY_METADATA\f[R] ioctl.
+.RS
+.PP
+Normally this option isn\[cq]t useful, but it can be needed in cases where the
+fs-verity metadata needs to be consumed by something other than one of the
+native Linux kernel implementations of fs-verity.
+This is not needed for file signing.
+.RE
+.TP
+\f[B]--out-descriptor\f[R]=\f[I]FILE\f[R]
+Write the computed fs-verity descriptor to the given file.
+.RS
+.PP
+Normally this option isn\[cq]t useful, but it can be needed in cases where the
+fs-verity metadata needs to be consumed by something other than one of the
+native Linux kernel implementations of fs-verity.
+This is not needed for file signing.
+.RE
+.TP
+\f[B]--salt\f[R]=\f[I]SALT\f[R]
+The salt to use in the Merkle tree, as a hex string.
+The salt is a value that is prepended to every hashed block; it can be used to
+personalize the hashing for a particular file or device.
+The default is no salt.
+.
+.SS \f[B]fsverity dump_metadata\f[R] [\f[I]OPTION\f[R]\&...] \f[I]TYPE\f[R] \f[I]FILE\f[R]
+.PP
+Dump the fs-verity metadata of the given file.
+The file must have fs-verity enabled, and the filesystem must support the
+\f[B]FS_IOC_READ_VERITY_METADATA\f[R] ioctl (it was added in Linux v5.12).
+This subcommand normally isn\[cq]t useful, but it can be useful in cases where a
+userspace server program is serving a verity file to a client which implements
+fs-verity compatible verification.
+.PP
+\f[I]TYPE\f[R] may be \[lq]merkle_tree\[rq], \[lq]descriptor\[rq], or
+\[lq]signature\[rq], indicating the type of metadata to dump.
+\[lq]signature\[rq] refers to the built-in signature, if present;
+userspace-managed signatures will not be included.
+.PP
+Options accepted by \f[B]fsverity dump_metadata\f[R]:
+.TP
+\f[B]--length\f[R]=\f[I]LENGTH\f[R]
+Length in bytes to dump from the specified metadata item.
+Only accepted in combination with \f[B]--offset\f[R].
+.TP
+\f[B]--offset\f[R]=\f[I]offset\f[R]
+Offset in bytes into the specified metadata item at which to start dumping.
+Only accepted in combination with \f[B]--length\f[R].
+.
+.SS \f[B]fsverity enable\f[R] [\f[I]OPTION\f[R]\&...] \f[I]FILE\f[R]
+.PP
+Enable fs-verity on the specified file.
+This will only work if the filesystem supports fs-verity.
+.PP
+Options accepted by \f[B]fsverity enable\f[R]:
+.TP
+\f[B]--block-size\f[R]=\f[I]BLOCK_SIZE\f[R]
+Same as for \f[B]fsverity digest\f[R].
+.TP
+\f[B]--hash-alg\f[R]=\f[I]HASH_ALG\f[R]
+Same as for \f[B]fsverity digest\f[R].
+.TP
+\f[B]--salt\f[R]=\f[I]SALT\f[R]
+Same as for \f[B]fsverity digest\f[R].
+.TP
+\f[B]--signature\f[R]=\f[I]SIGFILE\f[R]
+Specifies the built-in signature to apply to the file.
+\f[I]SIGFILE\f[R] must be a file that contains the signature in PKCS#7 DER
+format, e.g.\ as produced by the \f[B]fsverity sign\f[R] command.
+.RS
+.PP
+Note that this option is only needed if the Linux kernel\[cq]s fs-verity
+built-in signature verification support is being used.
+It is not needed if the signatures will be verified in userspace, as in that
+case the signatures should be stored separately.
+.RE
+.
+.SS \f[B]fsverity measure\f[R] \f[I]FILE\f[R]\&...
+.PP
+Display the fs-verity digest of the given file(s).
+The files must have fs-verity enabled.
+The output will be the same as \f[B]fsverity digest\f[R] with the appropriate
+parameters, but \f[B]fsverity measure\f[R] will take constant time for each file
+regardless of the size of the file.
+.PP
+\f[B]fsverity measure\f[R] does not accept any options.
+.
+.SS \f[B]fsverity sign\f[R] [\f[I]OPTION\f[R]\&...] \f[I]FILE\f[R] \f[I]OUT_SIGFILE\f[R]
+.PP
+Sign the given file for fs-verity, in a way that is compatible with the Linux
+kernel\[cq]s fs-verity built-in signature verification support.
+The signature will be written to \f[I]OUT_SIGFILE\f[R] in PKCS#7 DER format.
+.PP
+The private key can be specified either by key file or by PKCS#11 token.
+To use a key file, provide \f[B]--key\f[R] and optionally \f[B]--cert\f[R].
+To use a PKCS#11 token, provide \f[B]--pkcs11-engine\f[R],
+\f[B]--pkcs11-module\f[R], \f[B]--cert\f[R], and optionally
+\f[B]--pkcs11-keyid\f[R].
+PKCS#11 token support is unavailable when fsverity-utils was built with
+BoringSSL rather than OpenSSL.
+.PP
+\f[B]fsverity sign\f[R] should only be used if you need compatibility with
+fs-verity built-in signatures.
+It is not the only way to do signatures with fs-verity.
+For more information, see the fsverity-utils README.
+.PP
+Options accepted by \f[B]fsverity sign\f[R]:
+.TP
+\f[B]--block-size\f[R]=\f[I]BLOCK_SIZE\f[R]
+Same as for \f[B]fsverity digest\f[R].
+.TP
+\f[B]--cert\f[R]=\f[I]CERTFILE\f[R]
+Specifies the file that contains the certificate, in PEM format.
+This option is required if \f[I]KEYFILE\f[R] contains only the private key and
+not also the certificate, or if a PKCS#11 token is used.
+.TP
+\f[B]--hash-alg\f[R]=\f[I]HASH_ALG\f[R]
+Same as for \f[B]fsverity digest\f[R].
+.TP
+\f[B]--key\f[R]=\f[I]KEYFILE\f[R]
+Specifies the file that contains the private key, in PEM format.
+This option is required when not using a PKCS#11 token.
+.TP
+\f[B]--out-descriptor\f[R]=\f[I]FILE\f[R]
+Same as for \f[B]fsverity digest\f[R].
+.TP
+\f[B]--out-merkle-tree\f[R]=\f[I]FILE\f[R]
+Same as for \f[B]fsverity digest\f[R].
+.TP
+\f[B]--pkcs11-engine\f[R]=\f[I]SOFILE\f[R]
+Specifies the path to the OpenSSL PKCS#11 engine file.
+This typically will be a path to the libp11 .so file.
+This option is required when using a PKCS#11 token.
+.TP
+\f[B]--pkcs11-keyid\f[R]=\f[I]KEYID\f[R]
+Specifies the key identifier in the form of a PKCS#11 URI.
+If not provided, the default key associated with the token is used.
+This option is only applicable when using a PKCS#11 token.
+.TP
+\f[B]--pkcs11-module\f[R]=\f[I]SOFILE\f[R]
+Specifies the path to the PKCS#11 token-specific module library.
+This option is required when using a PKCS#11 token.
+.TP
+\f[B]--salt\f[R]=\f[I]SALT\f[R]
+Same as for \f[B]fsverity digest\f[R].
+.
+.
+.SH SEE ALSO
+.PP
+For example commands and more information, see the README file for
+fsverity-utils (https://git.kernel.org/pub/scm/fs/fsverity/fsverity-utils.git/tree/README.md).
+.PP
+Also see the kernel documentation for
+fs-verity (https://www.kernel.org/doc/html/latest/filesystems/fsverity.html).
deleted file mode 100644
@@ -1,220 +0,0 @@
-% FSVERITY(1) fsverity-utils v1.5 | User Commands
-%
-% February 2022
-
-# NAME
-
-fsverity - userspace utility for fs-verity
-
-# SYNOPSIS
-**fsverity digest** [*OPTION*...] *FILE*... \
-**fsverity dump_metadata** [*OPTION*...] *TYPE* *FILE* \
-**fsverity enable** [*OPTION*...] *FILE* \
-**fsverity measure** *FILE*... \
-**fsverity sign** [*OPTION*...] *FILE* *OUT_SIGFILE*
-
-# DESCRIPTION
-
-**fsverity** is a userspace utility for fs-verity. fs-verity is a Linux kernel
-filesystem feature that does transparent on-demand verification of the contents
-of read-only files using Merkle trees.
-
-**fsverity** can enable fs-verity on files, retrieve the digests of fs-verity
-files, and sign files for use with fs-verity (among other things).
-**fsverity**'s functionality is divided among various subcommands.
-
-This manual page focuses on documenting all **fsverity** subcommands and
-options. For examples and more information about the fs-verity kernel feature,
-see the references at the end of this page.
-
-# OPTIONS
-
-**fsverity** always accepts the following options:
-
-**\-\-help**
-: Show the help, for either one subcommand or for all subcommands.
-
-**\-\-version**
-: Show the version of fsverity-utils.
-
-# SUBCOMMANDS
-
-## **fsverity digest** [*OPTION*...] *FILE*...
-
-Compute the fs-verity digest of the given file(s). This is mainly intended to
-used in preparation for signing the digest. In some cases **fsverity sign**
-can be used instead to digest and sign the file in one step.
-
-Options accepted by **fsverity digest**:
-
-**\-\-block-size**=*BLOCK_SIZE*
-: The Merkle tree block size (in bytes) to use. This must be a power of 2 and
- at least twice the size of the hash values.
-
- Note that the Linux kernel implementations of fs-verity place further
- restrictions on the Merkle tree block size. Linux v6.2 and earlier require
- that the Merkle tree block size be equal to both the system page size and
- the filesystem block size. These values are often 4096. Linux v6.3 and
- later are more flexible; they require that the Merkle tree block size be a
- power of 2 that is greater than or equal to 1024 and less than or equal to
- the system page size and the filesystem block size. The default value of
- this option is 4096.
-
-**\-\-compact**
-: When printing the file digest, only print the actual digest hex string;
- don't print the algorithm name and filename.
-
-**\-\-for-builtin-sig**
-: Format the file digest in a way that is compatible with the Linux kernel's
- fs-verity built-in signature verification support. This means formatting it
- as a `struct fsverity_formatted_digest`. Use this option if you are using
- built-in signatures but are not using **fsverity sign** to do the signing.
-
-**\-\-hash-alg**=*HASH_ALG*
-: The hash algorithm to use to build the Merkle tree. Valid options are
- sha256 and sha512. Default is sha256.
-
-**\-\-out-merkle-tree**=*FILE*
-: Write the computed Merkle tree to the given file. The Merkle tree layout
- will be the same as that used by the Linux kernel's
- `FS_IOC_READ_VERITY_METADATA` ioctl.
-
- Normally this option isn't useful, but it can be needed in cases where the
- fs-verity metadata needs to be consumed by something other than one of the
- native Linux kernel implementations of fs-verity. This is not needed for
- file signing.
-
-**\-\-out-descriptor**=*FILE*
-: Write the computed fs-verity descriptor to the given file.
-
- Normally this option isn't useful, but it can be needed in cases where the
- fs-verity metadata needs to be consumed by something other than one of the
- native Linux kernel implementations of fs-verity. This is not needed for
- file signing.
-
-**\-\-salt**=*SALT*
-: The salt to use in the Merkle tree, as a hex string. The salt is a value
- that is prepended to every hashed block; it can be used to personalize the
- hashing for a particular file or device. The default is no salt.
-
-## **fsverity dump_metadata** [*OPTION*...] *TYPE* *FILE*
-
-Dump the fs-verity metadata of the given file. The file must have fs-verity
-enabled, and the filesystem must support the `FS_IOC_READ_VERITY_METADATA` ioctl
-(it was added in Linux v5.12). This subcommand normally isn't useful, but it
-can be useful in cases where a userspace server program is serving a verity file
-to a client which implements fs-verity compatible verification.
-
-*TYPE* may be "merkle\_tree", "descriptor", or "signature", indicating the type
-of metadata to dump. "signature" refers to the built-in signature, if present;
-userspace-managed signatures will not be included.
-
-Options accepted by **fsverity dump_metadata**:
-
-**\-\-length**=*LENGTH*
-: Length in bytes to dump from the specified metadata item. Only accepted in
- combination with **\-\-offset**.
-
-**\-\-offset**=*offset*
-: Offset in bytes into the specified metadata item at which to start dumping.
- Only accepted in combination with **\-\-length**.
-
-## **fsverity enable** [*OPTION*...] *FILE*
-
-Enable fs-verity on the specified file. This will only work if the filesystem
-supports fs-verity.
-
-Options accepted by **fsverity enable**:
-
-**\-\-block-size**=*BLOCK_SIZE*
-: Same as for **fsverity digest**.
-
-**\-\-hash-alg**=*HASH_ALG*
-: Same as for **fsverity digest**.
-
-**\-\-salt**=*SALT*
-: Same as for **fsverity digest**.
-
-**\-\-signature**=*SIGFILE*
-: Specifies the built-in signature to apply to the file. *SIGFILE* must be a
- file that contains the signature in PKCS#7 DER format, e.g. as produced by
- the **fsverity sign** command.
-
- Note that this option is only needed if the Linux kernel's fs-verity
- built-in signature verification support is being used. It is not needed if
- the signatures will be verified in userspace, as in that case the signatures
- should be stored separately.
-
-## **fsverity measure** *FILE*...
-
-Display the fs-verity digest of the given file(s). The files must have
-fs-verity enabled. The output will be the same as **fsverity digest** with
-the appropriate parameters, but **fsverity measure** will take constant time
-for each file regardless of the size of the file.
-
-**fsverity measure** does not accept any options.
-
-## **fsverity sign** [*OPTION*...] *FILE* *OUT_SIGFILE*
-
-Sign the given file for fs-verity, in a way that is compatible with the Linux
-kernel's fs-verity built-in signature verification support. The signature will
-be written to *OUT_SIGFILE* in PKCS#7 DER format.
-
-The private key can be specified either by key file or by PKCS#11 token. To use
-a key file, provide **\-\-key** and optionally **\-\-cert**. To use a PKCS#11
-token, provide **\-\-pkcs11-engine**, **\-\-pkcs11-module**, **\-\-cert**, and
-optionally **\-\-pkcs11-keyid**. PKCS#11 token support is unavailable when
-fsverity-utils was built with BoringSSL rather than OpenSSL.
-
-**fsverity sign** should only be used if you need compatibility with fs-verity
-built-in signatures. It is not the only way to do signatures with fs-verity.
-For more information, see the fsverity-utils README.
-
-Options accepted by **fsverity sign**:
-
-**\-\-block-size**=*BLOCK_SIZE*
-: Same as for **fsverity digest**.
-
-**\-\-cert**=*CERTFILE*
-: Specifies the file that contains the certificate, in PEM format. This
- option is required if *KEYFILE* contains only the private key and not also
- the certificate, or if a PKCS#11 token is used.
-
-**\-\-hash-alg**=*HASH_ALG*
-: Same as for **fsverity digest**.
-
-**\-\-key**=*KEYFILE*
-: Specifies the file that contains the private key, in PEM format. This
- option is required when not using a PKCS#11 token.
-
-**\-\-out-descriptor**=*FILE*
-: Same as for **fsverity digest**.
-
-**\-\-out-merkle-tree**=*FILE*
-: Same as for **fsverity digest**.
-
-**\-\-pkcs11-engine**=*SOFILE*
-: Specifies the path to the OpenSSL PKCS#11 engine file. This typically will
- be a path to the libp11 .so file. This option is required when using a
- PKCS#11 token.
-
-**\-\-pkcs11-keyid**=*KEYID*
-: Specifies the key identifier in the form of a PKCS#11 URI. If not provided,
- the default key associated with the token is used. This option is only
- applicable when using a PKCS#11 token.
-
-**\-\-pkcs11-module**=*SOFILE*
-: Specifies the path to the PKCS#11 token-specific module library. This
- option is required when using a PKCS#11 token.
-
-**\-\-salt**=*SALT*
-: Same as for **fsverity digest**.
-
-# SEE ALSO
-
-For example commands and more information, see the
-[README file for
-fsverity-utils](https://git.kernel.org/pub/scm/fs/fsverity/fsverity-utils.git/tree/README.md).
-
-Also see the [kernel documentation for
-fs-verity](https://www.kernel.org/doc/html/latest/filesystems/fsverity.html).
@@ -52,11 +52,11 @@ prepare_release()
include/libfsverity.h
sed -E -i "/Version:/s/[0-9]+\.[0-9]+/$VERS/" \
lib/libfsverity.pc.in
sed -E -i -e "/^% /s/fsverity-utils v[0-9]+(\.[0-9]+)+/fsverity-utils v$VERS/" \
-e "/^% /s/[a-zA-Z]+ 2[0-9]{3}/$month $year/" \
- man/*.[1-9].md
+ man/*.[1-9]
git commit -a --signoff --message="v$VERS"
git tag --sign "v$VERS" --message="$PKG"
git archive "v$VERS" --prefix="$PKG/" > "$PKG.tar"
tar xf "$PKG.tar"