table of contents
other versions
- stretch 13-1+b1
- testing 24-1
- unstable 24-1
- experimental 25-1
SIGNIFY-OPENBSD(1) | General Commands Manual | SIGNIFY-OPENBSD(1) |
NAME¶
signify-openbsd
—
cryptographically sign and verify files
SYNOPSIS¶
signify-openbsd |
-C [-q ]
-p pubkey
-x sigfile
[file ...] |
signify-openbsd |
-G [-n ]
[-c comment]
-p pubkey
-s seckey |
signify-openbsd |
-S [-e ]
[-x sigfile]
-s seckey
-m message |
signify-openbsd |
-V [-eq ]
[-x sigfile]
-p pubkey
-m message |
DESCRIPTION¶
Thesignify-openbsd
utility creates and verifies
cryptographic signatures. A signature verifies the integrity of a
message. The mode of operation is selected with the
following options:
-C
- Verify a signed checksum list, and then verify the checksum for each file. If no files are specified, all of them are checked. sigfile should be the signed output of sha256(1).
-G
- Generate a new key pair.
-S
- Sign the specified message file and create a signature.
-V
- Verify the message and signature match.
The other options are as follows:
-c
comment- Specify the comment to be added during key generation.
-e
- When signing, embed the message after the signature. When verifying,
extract the message from the signature. (This requires that the signature
was created using
-e
and creates a new message file as output.) -m
message- When signing, the file containing the message to sign. When verifying, the
file containing the message to verify. When verifying with
-e
, the file to create. -n
- Do not ask for a passphrase during key generation. Otherwise,
signify-openbsd
will prompt the user for a passphrase to protect the secret key. -p
pubkey- Public key produced by
-G
, and used by-V
to check a signature. -q
- Quiet mode. Suppress informational output.
-s
seckey- Secret (private) key produced by
-G
, and used by-S
to sign a message. -x
sigfile- The signature file to create or verify. The default is message.sig.
The key and signature files created by
signify-openbsd
have the same format. The first line
of the file is a free form text comment that may be edited, so long as it
does not exceed a single line. The second line of the file is the actual key
or signature base64 encoded.
EXIT STATUS¶
Thesignify-openbsd
utility exits 0 on success,
and >0 if an error occurs. It may fail because of one of the
following reasons:
- Some necessary files do not exist.
- Entered passphrase is incorrect.
- The message file was corrupted and its signature does not match.
- The message file is too large.
EXAMPLES¶
Create a new key pair:$ signify-openbsd -G -p newkey.pub -s
newkey.sec
Sign a file, specifying a signature name:
$ signify-openbsd -S -s key.sec -m
message.txt -x msg.sig
Verify a signature, using the default signature name:
$ signify-openbsd -V -p key.pub -m
generalsorders.txt
Verify a release directory containing SHA256.sig and a full set of release files:
$ signify-openbsd -C -p /etc/signify/openbsd-56-base.pub -x SHA256.sig Note that for non-OpenBSD operating systems, you will have to get the signing key yourself.
Verify a bsd.rd before an upgrade:
$ signify-openbsd -C -p /etc/signify/openbsd-56-base.pub -x SHA256.sig bsd.rd
HISTORY¶
Thesignify-openbsd
command first appeared in
OpenBSD 5.5, but was renamed to
signify-openbsd
for Debian because another binary
named signify
already existed in Debian's
repositories.
AUTHORS¶
Ted Unangst <tedu@openbsd.org>July 14, 2015 | Linux 4.9.0-9-amd64 |