Man page - signify-openbsd(1)
Packages contains this manual
apt-get install signify-openbsd
Manual
SIGNIFY-OPENBSD (1) General Commands Manual SIGNIFY-OPENBSD (1)
NAME
signify-openbsd ā cryptographically sign and verify files
SYNOPSIS
signify-openbsd -C
[
-q
] [
-p
pubkey
]
[
-t
keytype
]
-x
sigfile
[
fileĀ ...
]
signify-openbsd -G
[
-n
]
[
-c
comment
]
-p
pubkey
-s
seckey
signify-openbsd -S
[
-enz
]
[
-x
sigfile
]
-s
seckey
-m
message
signify-openbsd -V
[
-eqz
]
[
-p
pubkey
]
[
-t
keytype
]
[
-x
sigfile
]
-m
message
DESCRIPTION
The signify-openbsd utility creates and verifies cryptographic signatures. A signature verifies the integrity of a message . The mode of operation is selected with the following options:
-C
Verify a signed checksum list, and then verify the checksum for each file. If no files are specified, all of them are checked. sigfile should be the signed output of sha256 (1).
-G
Generate a new key pair. Keynames should follow the convention of keyname.pub and keyname.sec for the public and secret keys, respectively.
-S
Sign the specified message file and create a signature.
-V
Verify the message and signature match.
The other options are as follows:
-c comment
Specify the comment to be added during key generation.
-e
When signing, embed the message after the signature. When verifying, extract the message from the signature. (This requires that the signature was created using -e and creates a new message file as output.)
-m message
When signing, the file containing the message to sign. When verifying, the file containing the message to verify. When verifying with -e , the file to create.
-n
When generating a key pair, do not ask for a passphrase. Otherwise, signify-openbsd will prompt the user for a passphrase to protect the secret key. When signing with -z , store a zero time stamp in the gzip (1) header.
-p pubkey
Public key produced by -G , and used by -V to check a signature.
-q
Quiet mode. Suppress informational output.
-s seckey
Secret (private) key produced by -G , and used by -S to sign a message.
-t keytype
When deducing the correct key to check a signature, make sure the actual key matches /etc/signify/*-keytype.pub .
-x sigfile
The signature file to create or verify. The default is message .sig.
-z
Sign and verify gzip (1) archives, where the signing data is embedded in the gzip (1) header.
The key and signature files created by signify-openbsd have the same format. The first line of the file is a free form text comment that may be edited, so long as it does not exceed a single line. Signature comments will be generated based on the name of the secret key used for signing. This comment can then be used as a hint for the name of the public key when verifying. The second line of the file is the actual key or signature base64 encoded.
EXIT STATUS
The signify-openbsd utility exitsĀ 0 on success, andĀ >0 if an error occurs. It may fail because of one of the following reasons:
ā¢
Some necessary files do not exist.
ā¢
Entered passphrase is incorrect.
ā¢
The message file was corrupted and its signature does not match.
ā¢
The message file is too large.
EXAMPLES
Create a new key pair:
$ signify-openbsd -G -p newkey.pub -s newkey.sec
Sign a file, specifying a signature name:
$ signify-openbsd -S -s key.sec -m message.txt -x msg.sig
Verify a signature, using the default signature name:
$ signify-openbsd -V -p key.pub -m generalsorders.txt
Verify a release directory containing SHA256.sig and a full set of release files:
$ signify-openbsd -C -p /etc/signify/openbsd-76-base.pub -x SHA256.sig
Verify a bsd.rd before an upgrade:
$ signify-openbsd -C -p /etc/signify/openbsd-76-base.pub -x SHA256.sig bsd.rd
Sign a gzip archive:
$ signify-openbsd -Sz -s key-arc.sec -m in.tgz -x out.tgz
Verify a gzip pipeline:
$ ftp url | signify-openbsd -Vz -t arc | tar ztf -
SEE ALSO
gzip (1), pkg_add (1), sha256 (1), fw_update (8), sysupgrade (8)
HISTORY
The signify-openbsd command first appeared in OpenBSDĀ 5.5.
AUTHORS
Ted Unangst < tedu@openbsd.org > and Marc Espie < espie@openbsd.org >. Debian MarchĀ 2, 2024 SIGNIFY-OPENBSD (1)