SIGNIFY-OPENBSD(1) | General Commands Manual | SIGNIFY-OPENBSD(1) |
signify
—
cryptographically sign and verify files
signify |
-C [-q ]
[-p pubkey]
[-t keytype]
-x sigfile
[file ...] |
signify |
-G [-n ]
[-c comment]
-p pubkey
-s seckey |
signify |
-S [-enz ]
[-x sigfile]
-s seckey
-m message |
signify |
-V [-eqz ]
[-p pubkey]
[-t keytype]
[-x sigfile]
-m message |
The signify
utility creates and verifies
cryptographic signatures. A signature verifies the integrity of a
message. The mode of operation is selected with the
following options:
-C
-G
-S
-V
The other options are as follows:
-c
comment-e
-e
and creates a new message
file as output.)-m
message-e
, the file to create.-n
signify
will prompt the user for a passphrase to
protect the secret key. When signing with -z
,
store a zero time stamp in the gzip(1) header.-p
pubkey-G
, and used by
-V
to check a signature.-q
-s
seckey-G
, and used by
-S
to sign a message.-t
keytype-x
sigfile-z
The key and signature files created by
signify
have the same format. The first line of the
file is a free form text comment that may be edited, so long as it does not
exceed a single line. Signature comments will be generated based on the name
of the secret key used for signing. This comment can then be used as a hint
for the name of the public key when verifying. The second line of the file
is the actual key or signature base64 encoded.
The signify
utility exits 0 on
success, and >0 if an error occurs. It may fail because of one of
the following reasons:
Create a new key pair:
$ signify -G -p newkey.pub -s
newkey.sec
Sign a file, specifying a signature name:
$ signify -S -s key.sec -m
message.txt -x msg.sig
Verify a signature, using the default signature name:
$ signify -V -p key.pub -m
generalsorders.txt
Verify a release directory containing SHA256.sig and a full set of release files:
$ signify -C -p /etc/signify/openbsd-72-base.pub -x SHA256.sig
Verify a bsd.rd before an upgrade:
$ signify -C -p /etc/signify/openbsd-72-base.pub -x SHA256.sig bsd.rd
Sign a gzip archive:
$ signify -Sz -s key-arc.sec -m in.tgz -x out.tgz
Verify a gzip pipeline:
$ ftp url | signify -Vz -t arc | tar ztf -
The signify
command first appeared in
OpenBSD 5.5.
Ted Unangst <tedu@openbsd.org> and Marc Espie <espie@openbsd.org>.
February 20, 2022 | Ragnarok |