Provided by:
signify-openbsd_13-1_i386 
NAME
signify-openbsd — cryptographically sign and verify files
SYNOPSIS
signify-openbsd -C [-q] -p pubkey -x sigfile [file ...]
signify-openbsd -G [-n] [-c comment] -p pubkey -s seckey
signify-openbsd -S [-e] [-x sigfile] -s seckey -m message
signify-openbsd -V [-eq] [-x sigfile] -p pubkey -m message
DESCRIPTION
The signify-openbsd utility creates and verifies cryptographic
signatures. A signature verifies the integrity of a message. The mode
of operation is selected with the following options:
-C Verify a signed checksum list, and then verify the checksum
for each file. If no files are specified, all of them are
checked. sigfile should be the signed output of sha256(1).
-G Generate a new key pair.
-S Sign the specified message file and create a signature.
-V Verify the message and signature match.
The other options are as follows:
-c comment Specify the comment to be added during key generation.
-e When signing, embed the message after the signature. When
verifying, extract the message from the signature. (This
requires that the signature was created using -e and
creates a new message file as output.)
-m message When signing, the file containing the message to sign.
When verifying, the file containing the message to verify.
When verifying with -e, the file to create.
-n Do not ask for a passphrase during key generation.
Otherwise, signify-openbsd will prompt the user for a
passphrase to protect the secret key.
-p pubkey Public key produced by -G, and used by -V to check a
signature.
-q Quiet mode. Suppress informational output.
-s seckey Secret (private) key produced by -G, and used by -S to sign
a message.
-x sigfile The signature file to create or verify. The default is
message.sig.
The key and signature files created by signify-openbsd have the same
format. The first line of the file is a free form text comment that may
be edited, so long as it does not exceed a single line. The second line
of the file is the actual key or signature base64 encoded.
EXIT STATUS
The signify-openbsd utility exits 0 on success, and >0 if an error
occurs. It may fail because of one of the following reasons:
· Some necessary files do not exist.
· Entered passphrase is incorrect.
· The message file was corrupted and its signature does not match.
· The message file is too large.
EXAMPLES
Create a new key pair:
$ signify-openbsd -G -p newkey.pub -s newkey.sec
Sign a file, specifying a signature name:
$ signify-openbsd -S -s key.sec -m message.txt -x msg.sig
Verify a signature, using the default signature name:
$ signify-openbsd -V -p key.pub -m generalsorders.txt
Verify a release directory containing SHA256.sig and a full set of
release files:
$ signify-openbsd -C -p /etc/signify/openbsd-56-base.pub -x SHA256.sig
Note that for non-OpenBSD operating systems, you will have to get the
signing key yourself.
Verify a bsd.rd before an upgrade:
$ signify-openbsd -C -p /etc/signify/openbsd-56-base.pub -x SHA256.sig bsd.rd
HISTORY
The signify-openbsd command first appeared in OpenBSD 5.5, but was
renamed to signify-openbsd for Debian because another binary named
signify already existed in Debian's repositories.
AUTHORS
Ted Unangst ⟨tedu@openbsd.org⟩