Provided by: signify-openbsd_32-1.1_amd64
NAME
signify-openbsd — cryptographically sign and verify files
SYNOPSIS
signify-openbsd -C [-q] [-p pubkey] [-t keytype] -x sigfile [file ...] signify-openbsd -G [-n] [-c comment] -p pubkey -s seckey signify-openbsd -S [-enz] [-x sigfile] -s seckey -m message signify-openbsd -V [-eqz] [-p pubkey] [-t keytype] [-x sigfile] -m message
DESCRIPTION
The signify-openbsd utility creates and verifies cryptographic signatures. A signature verifies the integrity of a message. The mode of operation is selected with the following options: -C Verify a signed checksum list, and then verify the checksum for each file. If no files are specified, all of them are checked. sigfile should be the signed output of sha256(1). -G Generate a new key pair. Keynames should follow the convention of keyname.pub and keyname.sec for the public and secret keys, respectively. -S Sign the specified message file and create a signature. -V Verify the message and signature match. The other options are as follows: -c comment Specify the comment to be added during key generation. -e When signing, embed the message after the signature. When verifying, extract the message from the signature. (This requires that the signature was created using -e and creates a new message file as output.) -m message When signing, the file containing the message to sign. When verifying, the file containing the message to verify. When verifying with -e, the file to create. -n When generating a key pair, do not ask for a passphrase. Otherwise, signify-openbsd will prompt the user for a passphrase to protect the secret key. When signing with -z, store a zero time stamp in the gzip(1) header. -p pubkey Public key produced by -G, and used by -V to check a signature. -q Quiet mode. Suppress informational output. -s seckey Secret (private) key produced by -G, and used by -S to sign a message. -t keytype When deducing the correct key to check a signature, make sure the actual key matches /etc/signify/*-keytype.pub. -x sigfile The signature file to create or verify. The default is message.sig. -z Sign and verify gzip(1) archives, where the signing data is embedded in the gzip(1) header. The key and signature files created by signify-openbsd have the same format. The first line of the file is a free form text comment that may be edited, so long as it does not exceed a single line. Signature comments will be generated based on the name of the secret key used for signing. This comment can then be used as a hint for the name of the public key when verifying. The second line of the file is the actual key or signature base64 encoded.
EXIT STATUS
The signify-openbsd utility exits 0 on success, and >0 if an error occurs. It may fail because of one of the following reasons: • Some necessary files do not exist. • Entered passphrase is incorrect. • The message file was corrupted and its signature does not match. • The message file is too large.
EXAMPLES
Create a new key pair: $ signify-openbsd -G -p newkey.pub -s newkey.sec Sign a file, specifying a signature name: $ signify-openbsd -S -s key.sec -m message.txt -x msg.sig Verify a signature, using the default signature name: $ signify-openbsd -V -p key.pub -m generalsorders.txt Verify a release directory containing SHA256.sig and a full set of release files: $ signify-openbsd -C -p /etc/signify/openbsd-76-base.pub -x SHA256.sig Verify a bsd.rd before an upgrade: $ signify-openbsd -C -p /etc/signify/openbsd-76-base.pub -x SHA256.sig bsd.rd Sign a gzip archive: $ signify-openbsd -Sz -s key-arc.sec -m in.tgz -x out.tgz Verify a gzip pipeline: $ ftp url | signify-openbsd -Vz -t arc | tar ztf -
SEE ALSO
gzip(1), pkg_add(1), sha256(1), fw_update(8), sysupgrade(8)
HISTORY
The signify-openbsd command first appeared in OpenBSD 5.5.
AUTHORS
Ted Unangst <tedu@openbsd.org> and Marc Espie <espie@openbsd.org>.