The behaviour of pkg_sign acts as if -i is always specified and won't sign/resign a package if it exists in the output directory.
In OpenBSD/PkgSign.pm sign_existing_package $state->opt('i') path is always taken. Does this come from some shared code setting a default interactive level for pkg_add's different -i option? $ pkg_info -v ./hexedit-1.2.12.tgz ... @signer openbsd-60-pkg @digital-signature signify:2016-06-05T21:12:25Z:RWQHIajRlT2mX2Co5PKjLtNprvAe8NjNXbxUabL3ySmJfLzFxod5BlCn+RvTB2coDd41rJdPJ+Ob/AUQMeAmEFETgJIVpn5YhAo= $ signify -Gn -p test-pkg.pub -s test-pkg.sec $ doas cp test-pkg.pub /etc/signify/ $ pkg_sign -v -D resign -s signify -s test-pkg.sec ./hexedit-1.2.12.tgz Signed ./hexedit-1.2.12.tgz: ok $ pkg_info -v ./hexedit-1.2.12.tgz .. @signer openbsd-60-pkg @digital-signature signify:2016-06-05T21:12:25Z:RWQHIajRlT2mX2Co5PKjLtNprvAe8NjNXbxUabL3ySmJfLzFxod5BlCn+RvTB2coDd41rJdPJ+Ob/AUQMeAmEFETgJIVpn5YhAo= $ mkdir out $ pkg_sign -v -o out -D resign -s signify -s test-pkg.sec ./hexedit-1.2.12.tgz Resigning hexedit-1.2.12 Signed ./hexedit-1.2.12.tgz: ok $ pkg_info -v ./out/hexedit-1.2.12.tgz .. @signer test-pkg @digital-signature signify:2016-06-06T05:47:46Z:RWRwvf7+8LjZmCFrf65S/RhowUT4+QvgVnEHg4ztH6ZIEVWDVWjlGyd/SWvb1apmxcoaO+lNFm+83OhvvuGsTyEGC95pcA2PTgc= $ zfgrep signer ./dtb-4.6.tgz $ $ pkg_sign -v -s signify -s test-pkg.sec ./dtb-4.6.tgz $ zfgrep signer ./dtb-4.6.tgz $