SIGNIFY-OPENBSD(1)



SIGNIFY-OPENBSD(1)        BSD General Commands Manual       SIGNIFY-OPENBSD(1)

NAME
     signify-openbsd -- cryptographically sign and verify files

SYNOPSIS
     signify-openbsd -C [-q] [-p pubkey] [-t keytype] -x sigfile [file ...]
     signify-openbsd -G [-n] [-c comment] -p pubkey -s seckey
     signify-openbsd -S [-enz] [-x sigfile] -s seckey -m message
     signify-openbsd -V [-eqz] [-p pubkey] [-t keytype] [-x sigfile] -m
                     message

DESCRIPTION
     The signify-openbsd utility creates and verifies cryptographic signa-
     tures.  A signature verifies the integrity of a message.  The mode of op-
     eration is selected with the following options:

     -C          Verify a signed checksum list, and then verify the checksum
                 for each file.  If no files are specified, all of them are
                 checked.  sigfile should be the signed output of sha256(1).

     -G          Generate a new key pair.  Keynames should follow the conven-
                 tion of keyname.pub and keyname.sec for the public and secret
                 keys, respectively.

     -S          Sign the specified message file and create a signature.

     -V          Verify the message and signature match.

     The other options are as follows:

     -c comment    Specify the comment to be added during key generation.

     -e            When signing, embed the message after the signature.  When
                   verifying, extract the message from the signature.  (This
                   requires that the signature was created using -e and cre-
                   ates a new message file as output.)

     -m message    When signing, the file containing the message to sign.
                   When verifying, the file containing the message to verify.
                   When verifying with -e, the file to create.

     -n            When generating a key pair, do not ask for a passphrase.
                   Otherwise, signify-openbsd will prompt the user for a
                   passphrase to protect the secret key.  When signing with
                   -z, store a zero time stamp in the gzip(1) header.

     -p pubkey     Public key produced by -G, and used by -V to check a signa-
                   ture.

     -q            Quiet mode.  Suppress informational output.

     -s seckey     Secret (private) key produced by -G, and used by -S to sign
                   a message.

     -t keytype    When deducing the correct key to check a signature, make
                   sure the actual key matches /etc/signify/*-keytype.pub.

     -x sigfile    The signature file to create or verify.  The default is
                   message.sig.

     -z            Sign and verify gzip(1) archives, where the signing data is
                   embedded in the gzip(1) header.

     The key and signature files created by signify-openbsd have the same for-
     mat.  The first line of the file is a free form text comment that may be
     edited, so long as it does not exceed a single line.  Signature comments
     will be generated based on the name of the secret key used for signing.
     This comment can then be used as a hint for the name of the public key
     when verifying.  The second line of the file is the actual key or signa-
     ture base64 encoded.

EXIT STATUS
     The signify-openbsd utility exits 0 on success, and >0 if an error oc-
     curs.  It may fail because of one of the following reasons:

     o   Some necessary files do not exist.
     o   Entered passphrase is incorrect.
     o   The message file was corrupted and its signature does not match.
     o   The message file is too large.

EXAMPLES
     Create a new key pair:
           $ signify-openbsd -G -p newkey.pub -s newkey.sec

     Sign a file, specifying a signature name:
           $ signify-openbsd -S -s key.sec -m message.txt -x msg.sig

     Verify a signature, using the default signature name:
           $ signify-openbsd -V -p key.pub -m generalsorders.txt

     Verify a release directory containing SHA256.sig and a full set of re-
     lease files:
           $ signify-openbsd -C -p /etc/signify/openbsd-67-base.pub -x SHA256.sig

     Verify a bsd.rd before an upgrade:
           $ signify-openbsd -C -p /etc/signify/openbsd-67-base.pub -x SHA256.sig bsd.rd

     Sign a gzip archive:
           $ signify-openbsd -Sz -s key-arc.sec -m in.tgz -x out.tgz

     Verify a gzip pipeline:
           $ ftp url | signify-openbsd -Vz -t arc | tar ztf -

SEE ALSO
     fw_update(1), gzip(1), pkg_add(1), sha256(1), sysupgrade(8)

HISTORY
     The signify-openbsd command first appeared in OpenBSD 5.5.

AUTHORS
     Ted Unangst <tedu@openbsd.org> and Marc Espie <espie@openbsd.org>.

BSD                            January 21, 2020                            BSD

Man(1) output converted with man2html
list of all man pages