|SIGNIFY-OPENBSD(1)||General Commands Manual||SIGNIFY-OPENBSD(1)|
signify-openbsdutility creates and verifies cryptographic signatures. A signature verifies the integrity of a message. The mode of operation is selected with the following options:
- Verify a signed checksum list, and then verify the checksum for each file. If no files are specified, all of them are checked. sigfile should be the signed output of sha256(1).
- Generate a new key pair. Keynames should follow the convention of keyname.pub and keyname.sec for the public and secret keys, respectively.
- Sign the specified message file and create a signature.
- Verify the message and signature match.
The other options are as follows:
- Specify the comment to be added during key generation.
- When signing, embed the message after the signature. When verifying,
extract the message from the signature. (This requires that the signature
was created using
-eand creates a new message file as output.)
- When signing, the file containing the message to sign. When verifying, the
file containing the message to verify. When verifying with
-e, the file to create.
- When generating a key pair, do not ask for a passphrase. Otherwise,
signify-openbsdwill prompt the user for a passphrase to protect the secret key. When signing with
-z, store a zero time stamp in the gzip(1) header.
- Public key produced by
-G, and used by
-Vto check a signature.
- Quiet mode. Suppress informational output.
- Secret (private) key produced by
-G, and used by
-Sto sign a message.
- When deducing the correct key to check a signature, make sure the actual key matches /etc/signify-openbsd/*-keytype.pub.
- The signature file to create or verify. The default is message.sig.
- Sign and verify gzip(1) archives, where the signing data is embedded in the gzip(1) header.
The key and signature files created by
signify-openbsd have the same format. The first line
of the file is a free form text comment that may be edited, so long as it
does not exceed a single line. Signature comments will be generated based on
the name of the secret key used for signing. This comment can then be used
as a hint for the name of the public key when verifying. The second line of
the file is the actual key or signature base64 encoded.
signify-openbsdutility exits 0 on success, and >0 if an error occurs. It may fail because of one of the following reasons:
- Some necessary files do not exist.
- Entered passphrase is incorrect.
- The message file was corrupted and its signature does not match.
- The message file is too large.
EXAMPLES¶Create a new key pair:
$ signify-openbsd -G -p newkey.pub -s newkey.sec
Sign a file, specifying a signature name:
$ signify-openbsd -S -s key.sec -m message.txt -x msg.sig
Verify a signature, using the default signature name:
$ signify-openbsd -V -p key.pub -m generalsorders.txt
Verify a release directory containing SHA256.sig and a full set of release files:
$ signify-openbsd -C -p /etc/signify/openbsd-66-base.pub -x SHA256.sig
Verify a bsd.rd before an upgrade:
$ signify-openbsd -C -p /etc/signify/openbsd-66-base.pub -x SHA256.sig bsd.rd
Sign a gzip archive:
$ signify-openbsd -Sz -s key-arc.sec -m in.tgz -x out.tgz
Verify a gzip pipeline:
$ ftp url | signify-openbsd -Vz -t arc | tar ztf -
SEE ALSO¶fw_update(1), gzip(1), pkg_add(1), sha256(1)
signify-openbsdcommand first appeared in OpenBSD 5.5.
AUTHORS¶Ted Unangst <firstname.lastname@example.org> and Marc Espie <email@example.com>.
|March 23, 2019||Linux 4.19.0-10-amd64|