diff options
Diffstat (limited to 'usr.bin/signify/signify.1')
-rw-r--r-- | usr.bin/signify/signify.1 | 206 |
1 files changed, 206 insertions, 0 deletions
diff --git a/usr.bin/signify/signify.1 b/usr.bin/signify/signify.1 new file mode 100644 index 0000000..ab612d5 --- /dev/null +++ b/usr.bin/signify/signify.1 @@ -0,0 +1,206 @@ +.\" $OpenBSD: signify.1,v 1.50 2020/04/05 06:34:20 deraadt Exp $ +.\" +.\"Copyright (c) 2013 Marc Espie <espie@openbsd.org> +.\"Copyright (c) 2013 Ted Unangst <tedu@openbsd.org> +.\" +.\"Permission to use, copy, modify, and distribute this software for any +.\"purpose with or without fee is hereby granted, provided that the above +.\"copyright notice and this permission notice appear in all copies. +.\" +.\"THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\"WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\"MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\"ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.Dd $Mdocdate: April 5 2020 $ +.Dt SIGNIFY 1 +.Os +.Sh NAME +.Nm signify +.Nd cryptographically sign and verify files +.Sh SYNOPSIS +.Nm signify +.Fl C +.Op Fl q +.Op Fl p Ar pubkey +.Op Fl t Ar keytype +.Fl x Ar sigfile +.Op Ar +.Nm signify +.Fl G +.Op Fl n +.Op Fl c Ar comment +.Fl p Ar pubkey +.Fl s Ar seckey +.Nm signify +.Fl S +.Op Fl enz +.Op Fl x Ar sigfile +.Fl s Ar seckey +.Fl m Ar message +.Nm signify +.Fl V +.Op Fl eqz +.Op Fl p Ar pubkey +.Op Fl t Ar keytype +.Op Fl x Ar sigfile +.Fl m Ar message +.Sh DESCRIPTION +The +.Nm +utility creates and verifies cryptographic signatures. +A signature verifies the integrity of a +.Ar message . +The mode of operation is selected with the following options: +.Bl -tag -width Dsssigfile +.It Fl C +Verify a signed checksum list, and then verify the checksum for +each file. +If no files are specified, all of them are checked. +.Ar sigfile +should be the signed output of +.Xr sha256 1 . +.It Fl G +Generate a new key pair. +Keynames should follow the convention of +.Pa keyname.pub +and +.Pa keyname.sec +for the public and secret keys, respectively. +.It Fl S +Sign the specified message file and create a signature. +.It Fl V +Verify the message and signature match. +.El +.Pp +The other options are as follows: +.Bl -tag -width Dsssignature +.It Fl c Ar comment +Specify the comment to be added during key generation. +.It Fl e +When signing, embed the message after the signature. +When verifying, extract the message from the signature. +(This requires that the signature was created using +.Fl e +and creates a new message file as output.) +.It Fl m Ar message +When signing, the file containing the message to sign. +When verifying, the file containing the message to verify. +When verifying with +.Fl e , +the file to create. +.It Fl n +When generating a key pair, do not ask for a passphrase. +Otherwise, +.Nm +will prompt the user for a passphrase to protect the secret key. +When signing with +.Fl z , +store a zero time stamp in the +.Xr gzip 1 +header. +.It Fl p Ar pubkey +Public key produced by +.Fl G , +and used by +.Fl V +to check a signature. +.It Fl q +Quiet mode. +Suppress informational output. +.It Fl s Ar seckey +Secret (private) key produced by +.Fl G , +and used by +.Fl S +to sign a message. +.It Fl t Ar keytype +When deducing the correct key to check a signature, make sure +the actual key matches +.Pa /etc/signify/*-keytype.pub . +.It Fl x Ar sigfile +The signature file to create or verify. +The default is +.Ar message Ns .sig . +.It Fl z +Sign and verify +.Xr gzip 1 +archives, where the signing data +is embedded in the +.Xr gzip 1 +header. +.El +.Pp +The key and signature files created by +.Nm +have the same format. +The first line of the file is a free form text comment that may be edited, +so long as it does not exceed a single line. +Signature comments will be generated based on the name of the secret +key used for signing. +This comment can then be used as a hint for the name of the public key +when verifying. +The second line of the file is the actual key or signature base64 encoded. +.Sh EXIT STATUS +.Ex -std signify +It may fail because of one of the following reasons: +.Pp +.Bl -bullet -compact +.It +Some necessary files do not exist. +.It +Entered passphrase is incorrect. +.It +The message file was corrupted and its signature does not match. +.It +The message file is too large. +.El +.Sh EXAMPLES +Create a new key pair: +.Dl $ signify -G -p newkey.pub -s newkey.sec +.Pp +Sign a file, specifying a signature name: +.Dl $ signify -S -s key.sec -m message.txt -x msg.sig +.Pp +Verify a signature, using the default signature name: +.Dl $ signify -V -p key.pub -m generalsorders.txt +.Pp +Verify a release directory containing +.Pa SHA256.sig +and a full set of release files: +.Bd -literal -offset indent -compact +$ signify -C -p /etc/signify/openbsd-68-base.pub -x SHA256.sig +.Ed +.Pp +Verify a bsd.rd before an upgrade: +.Bd -literal -offset indent -compact +$ signify -C -p /etc/signify/openbsd-68-base.pub -x SHA256.sig bsd.rd +.Ed +.Pp +Sign a gzip archive: +.Bd -literal -offset indent -compact +$ signify -Sz -s key-arc.sec -m in.tgz -x out.tgz +.Ed +.Pp +Verify a gzip pipeline: +.Bd -literal -offset indent -compact +$ ftp url | signify -Vz -t arc | tar ztf - +.Ed +.Sh SEE ALSO +.Xr fw_update 1 , +.Xr gzip 1 , +.Xr pkg_add 1 , +.Xr sha256 1 , +.Xr sysupgrade 8 +.Sh HISTORY +The +.Nm +command first appeared in +.Ox 5.5 . +.Sh AUTHORS +.An -nosplit +.An Ted Unangst Aq Mt tedu@openbsd.org +and +.An Marc Espie Aq Mt espie@openbsd.org . |