Annotation of src/usr.bin/signify/signify.1, Revision 1.23
1.23 ! tedu 1: .\" $OpenBSD: signify.1,v 1.22 2014/01/17 03:38:12 lteo Exp $
1.1 tedu 2: .\"
3: .\"Copyright (c) 2013 Marc Espie <espie@openbsd.org>
4: .\"Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
5: .\"
6: .\"Permission to use, copy, modify, and distribute this software for any
7: .\"purpose with or without fee is hereby granted, provided that the above
8: .\"copyright notice and this permission notice appear in all copies.
9: .\"
10: .\"THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11: .\"WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12: .\"MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13: .\"ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14: .\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15: .\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16: .\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1.23 ! tedu 17: .Dd $Mdocdate: January 17 2014 $
1.1 tedu 18: .Dt SIGNIFY 1
19: .Os
20: .Sh NAME
21: .Nm signify
22: .Nd cryptographically sign and verify files
23: .Sh SYNOPSIS
24: .Nm signify
1.10 deraadt 25: .Fl G
1.15 deraadt 26: .Op Fl c Ar comment
1.6 tedu 27: .Op Fl n
1.7 espie 28: .Fl p Ar pubkey
29: .Fl s Ar seckey
30: .Nm signify
1.10 deraadt 31: .Fl I
1.9 tedu 32: .Op Fl p Ar pubkey
33: .Op Fl s Ar seckey
1.19 tedu 34: .Op Fl x Ar sigfile
1.9 tedu 35: .Nm signify
1.10 deraadt 36: .Fl S
1.8 tedu 37: .Op Fl e
1.19 tedu 38: .Op Fl x Ar sigfile
1.7 espie 39: .Fl s Ar seckey
1.19 tedu 40: .Fl m Ar message
1.7 espie 41: .Nm signify
1.10 deraadt 42: .Fl V
1.8 tedu 43: .Op Fl e
1.19 tedu 44: .Op Fl x Ar sigfile
1.7 espie 45: .Fl p Ar pubkey
1.19 tedu 46: .Fl m Ar message
1.1 tedu 47: .Sh DESCRIPTION
48: The
49: .Nm
1.19 tedu 50: utility creates and verifies cryptographic signatures.
51: A signature verifies the integrity of a
1.8 tedu 52: .Ar message .
1.10 deraadt 53: The mode of operation is selected with the following options:
1.12 tedu 54: .Bl -tag -width Dsssigfile
1.10 deraadt 55: .It Fl G
56: Generate a new keypair.
57: .It Fl I
58: Inspect the specified keys or signature and print their fingerprint.
59: .It Fl S
1.19 tedu 60: Sign the specified message file and create a signature.
1.10 deraadt 61: .It Fl V
1.19 tedu 62: Verify the message and signature match.
1.10 deraadt 63: .El
1.4 jmc 64: .Pp
1.10 deraadt 65: The other options are as follows:
1.12 tedu 66: .Bl -tag -width Dsssignature
1.14 tedu 67: .It Fl c Ar comment
68: Specify the comment to be added during key generation.
1.8 tedu 69: .It Fl e
1.19 tedu 70: When signing, embed the message after the signature.
71: When verifying, extract the message from the signature.
72: (This requires that the signature was created using
73: .Fl e
74: and creates a new message file as output.)
75: .It Fl m Ar message
76: When signing, the file containing the message to sign.
77: When verifying, the file containing the message to verify.
78: When verifying with
79: .Fl e ,
80: the file to create.
1.6 tedu 81: .It Fl n
1.1 tedu 82: Do not ask for a passphrase during key generation.
83: Otherwise,
84: .Nm
1.19 tedu 85: will prompt the user for a passphrase to protect the secret key.
1.6 tedu 86: .It Fl p Ar pubkey
1.1 tedu 87: Public key produced by
1.7 espie 88: .Fl G ,
1.1 tedu 89: and used by
1.7 espie 90: .Fl V
1.1 tedu 91: to check a signature.
1.6 tedu 92: .It Fl s Ar seckey
1.1 tedu 93: Secret (private) key produced by
1.7 espie 94: .Fl G ,
1.1 tedu 95: and used by
1.7 espie 96: .Fl S
1.1 tedu 97: to sign a message.
1.19 tedu 98: .It Fl x Ar sigfile
99: The signature file to create or verify.
100: The default is
101: .Ar message Ns .sig .
1.1 tedu 102: .El
1.4 jmc 103: .Pp
104: The key and signature files created by
105: .Nm
106: have the same format.
107: The first line of the file is a free form text comment that may be edited,
108: so long as it does not exceed a single line.
109: The second line of the file is the actual key or signature base64 encoded.
1.1 tedu 110: .Sh EXIT STATUS
1.4 jmc 111: .Ex -std signify
112: It may fail because of one of the following reasons:
113: .Pp
1.1 tedu 114: .Bl -bullet -compact
1.4 jmc 115: .It
1.1 tedu 116: Some necessary files do not exist.
117: .It
118: Entered passphrase is incorrect.
119: .It
120: The message file was corrupted and its signature does not match.
121: .It
122: The message file is too large.
123: .El
124: .Sh EXAMPLES
125: Create a new keypair:
1.7 espie 126: .Dl $ signify -G -p newkey.pub -s newkey.sec
1.4 jmc 127: .Pp
128: Sign a file, specifying a signature name:
1.19 tedu 129: .Dl $ signify -S -s key.sec -m message.txt -x msg.sig
1.4 jmc 130: .Pp
1.1 tedu 131: Verify a signature, using the default signature name:
1.19 tedu 132: .Dl $ signify -V -p key.pub -m generalsorders.txt
1.11 deraadt 133: .Pp
1.17 deraadt 134: Verify a release directory containing
1.19 tedu 135: .Pa SHA256.sig
1.17 deraadt 136: and a full set of release files:
1.21 jmc 137: .Bd -literal -offset indent -compact
1.23 ! tedu 138: $ signify -V -e -p /etc/signify/openbsd-55-base.pub -x SHA256.sig -m - | \e
1.21 jmc 139: sha256 -c -
1.22 lteo 140: .Ed
141: .Pp
142: Verify a bsd.rd before an upgrade:
143: .Bd -literal -offset indent -compact
1.23 ! tedu 144: $ signify -V -e -p /etc/signify/openbsd-55-base.pub -x SHA256.sig -m - | \e
1.22 lteo 145: sha256 -C - bsd.rd
1.21 jmc 146: .Ed
1.1 tedu 147: .Sh SEE ALSO
1.11 deraadt 148: .Xr fw_update 1 ,
149: .Xr pkg_add 1 ,
150: .Xr sha256 1
1.1 tedu 151: .Sh HISTORY
152: The
153: .Nm
154: command first appeared in
1.7 espie 155: .Ox 5.5 .