Provided by: signify-openbsd_13-1_amd64 bug

NAME
     signify-openbsd — cryptographically sign and verify files


SYNOPSIS
     signify-openbsd -C [-q] -p pubkey -x sigfile [file ...]
     signify-openbsd -G [-n] [-c comment] -p pubkey -s seckey
     signify-openbsd -S [-e] [-x sigfile] -s seckey -m message
     signify-openbsd -V [-eq] [-x sigfile] -p pubkey -m message


DESCRIPTION
     The signify-openbsd utility creates and verifies cryptographic signatures.  A signature
     verifies the integrity of a message.  The mode of operation is selected with the following
     options:

     -C          Verify a signed checksum list, and then verify the checksum for each file.  If
                 no files are specified, all of them are checked.  sigfile should be the signed
                 output of sha256(1).

     -G          Generate a new key pair.

     -S          Sign the specified message file and create a signature.

     -V          Verify the message and signature match.

     The other options are as follows:

     -c comment    Specify the comment to be added during key generation.

     -e            When signing, embed the message after the signature.  When verifying, extract
                   the message from the signature.  (This requires that the signature was created
                   using -e and creates a new message file as output.)

     -m message    When signing, the file containing the message to sign.  When verifying, the
                   file containing the message to verify.  When verifying with -e, the file to
                   create.

     -n            Do not ask for a passphrase during key generation.  Otherwise, signify-openbsd
                   will prompt the user for a passphrase to protect the secret key.

     -p pubkey     Public key produced by -G, and used by -V to check a signature.

     -q            Quiet mode.  Suppress informational output.

     -s seckey     Secret (private) key produced by -G, and used by -S to sign a message.

     -x sigfile    The signature file to create or verify.  The default is message.sig.

     The key and signature files created by signify-openbsd have the same format.  The first line
     of the file is a free form text comment that may be edited, so long as it does not exceed a
     single line.  The second line of the file is the actual key or signature base64 encoded.


EXIT STATUS
     The signify-openbsd utility exits 0 on success, and >0 if an error occurs.  It may fail
     because of one of the following reasons:

     ·   Some necessary files do not exist.
     ·   Entered passphrase is incorrect.
     ·   The message file was corrupted and its signature does not match.
     ·   The message file is too large.


EXAMPLES
     Create a new key pair:
           $ signify-openbsd -G -p newkey.pub -s newkey.sec

     Sign a file, specifying a signature name:
           $ signify-openbsd -S -s key.sec -m message.txt -x msg.sig

     Verify a signature, using the default signature name:
           $ signify-openbsd -V -p key.pub -m generalsorders.txt

     Verify a release directory containing SHA256.sig and a full set of release files:
           $ signify-openbsd -C -p /etc/signify/openbsd-56-base.pub -x SHA256.sig
           Note that for non-OpenBSD operating systems, you will have to get the
           signing key yourself.

     Verify a bsd.rd before an upgrade:
           $ signify-openbsd -C -p /etc/signify/openbsd-56-base.pub -x SHA256.sig bsd.rd


HISTORY
     The signify-openbsd command first appeared in OpenBSD 5.5, but was renamed to
     signify-openbsd for Debian because another binary named signify already existed in Debian's
     repositories.


AUTHORS
     Ted Unangst <tedu@openbsd.org>