SYNOPSIS
signify-openbsd -C [-q ] -p pubkey -x sigfile [file ... ]signify-openbsd -G [-n ] [-c comment ] -p pubkey -s seckey
signify-openbsd -S [-e ] [-x sigfile ] -s seckey -m message
signify-openbsd -V [-eq ] [-x sigfile ] -p pubkey -m message
DESCRIPTION
The signify-openbsd utility creates and verifies cryptographic signatures. A signature verifies the integrity of a message The mode of operation is selected with the following options:- -C
- Verify a signed checksum list, and then verify the checksum for each file. If no files are specified, all of them are checked. sigfile should be the signed output of sha256(1).
- -G
- Generate a new key pair.
- -S
- Sign the specified message file and create a signature.
- -V
- Verify the message and signature match.
The other options are as follows:
- -c comment
- Specify the comment to be added during key generation.
- -e
- When signing, embed the message after the signature. When verifying, extract the message from the signature. (This requires that the signature was created using -e and creates a new message file as output.)
- -m message
- When signing, the file containing the message to sign. When verifying, the file containing the message to verify. When verifying with -e the file to create.
- -n
- Do not ask for a passphrase during key generation. Otherwise, signify-openbsd will prompt the user for a passphrase to protect the secret key.
- -p pubkey
- Public key produced by -G and used by -V to check a signature.
- -q
- Quiet mode. Suppress informational output.
- -s seckey
- Secret (private) key produced by -G and used by -S to sign a message.
- -x sigfile
- The signature file to create or verify. The default is message .sig
The key and signature files created by signify-openbsd have the same format. The first line of the file is a free form text comment that may be edited, so long as it does not exceed a single line. The second line of the file is the actual key or signature base64 encoded.
EXIT STATUS
Ex -std signify-openbsd It may fail because of one of the following reasons:
- Some necessary files do not exist.
- Entered passphrase is incorrect.
- The message file was corrupted and its signature does not match.
- The message file is too large.
EXAMPLES
Create a new key pair:$ signify-openbsd -G -p newkey.pub -s newkey.sec
Sign a file, specifying a signature name:
$ signify-openbsd -S -s key.sec -m message.txt -x msg.sig
Verify a signature, using the default signature name:
$ signify-openbsd -V -p key.pub -m generalsorders.txt
Verify a release directory containing SHA256.sig and a full set of release files:
$ signify-openbsd -C -p /etc/signify/openbsd-56-base.pub -x SHA256.sig Note that for non-OpenBSD operating systems, you will have to get the signing key yourself.
Verify a bsd.rd before an upgrade:
$ signify-openbsd -C -p /etc/signify/openbsd-56-base.pub -x SHA256.sig bsd.rd