1.\" $OpenBSD: signify.1,v 1.57 2023/09/18 13:16:13 deraadt Exp $ 2.\" 3.\"Copyright (c) 2013 Marc Espie <espie@openbsd.org> 4.\"Copyright (c) 2013 Ted Unangst <tedu@openbsd.org> 5.\" 6.\"Permission to use, copy, modify, and distribute this software for any 7.\"purpose with or without fee is hereby granted, provided that the above 8.\"copyright notice and this permission notice appear in all copies. 9.\" 10.\"THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11.\"WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12.\"MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13.\"ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14.\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15.\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16.\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17.Dd $Mdocdate: September 18 2023 $ 18.Dt SIGNIFY 1 19.Os 20.Sh NAME 21.Nm signify 22.Nd cryptographically sign and verify files 23.Sh SYNOPSIS 24.Nm signify 25.Fl C 26.Op Fl q 27.Op Fl p Ar pubkey 28.Op Fl t Ar keytype 29.Fl x Ar sigfile 30.Op Ar 31.Nm signify 32.Fl G 33.Op Fl n 34.Op Fl c Ar comment 35.Fl p Ar pubkey 36.Fl s Ar seckey 37.Nm signify 38.Fl S 39.Op Fl enz 40.Op Fl x Ar sigfile 41.Fl s Ar seckey 42.Fl m Ar message 43.Nm signify 44.Fl V 45.Op Fl eqz 46.Op Fl p Ar pubkey 47.Op Fl t Ar keytype 48.Op Fl x Ar sigfile 49.Fl m Ar message 50.Sh DESCRIPTION 51The 52.Nm 53utility creates and verifies cryptographic signatures. 54A signature verifies the integrity of a 55.Ar message . 56The mode of operation is selected with the following options: 57.Bl -tag -width Dsssigfile 58.It Fl C 59Verify a signed checksum list, and then verify the checksum for 60each file. 61If no files are specified, all of them are checked. 62.Ar sigfile 63should be the signed output of 64.Xr sha256 1 . 65.It Fl G 66Generate a new key pair. 67Keynames should follow the convention of 68.Pa keyname.pub 69and 70.Pa keyname.sec 71for the public and secret keys, respectively. 72.It Fl S 73Sign the specified message file and create a signature. 74.It Fl V 75Verify the message and signature match. 76.El 77.Pp 78The other options are as follows: 79.Bl -tag -width Dsssignature 80.It Fl c Ar comment 81Specify the comment to be added during key generation. 82.It Fl e 83When signing, embed the message after the signature. 84When verifying, extract the message from the signature. 85(This requires that the signature was created using 86.Fl e 87and creates a new message file as output.) 88.It Fl m Ar message 89When signing, the file containing the message to sign. 90When verifying, the file containing the message to verify. 91When verifying with 92.Fl e , 93the file to create. 94.It Fl n 95When generating a key pair, do not ask for a passphrase. 96Otherwise, 97.Nm 98will prompt the user for a passphrase to protect the secret key. 99When signing with 100.Fl z , 101store a zero time stamp in the 102.Xr gzip 1 103header. 104.It Fl p Ar pubkey 105Public key produced by 106.Fl G , 107and used by 108.Fl V 109to check a signature. 110.It Fl q 111Quiet mode. 112Suppress informational output. 113.It Fl s Ar seckey 114Secret (private) key produced by 115.Fl G , 116and used by 117.Fl S 118to sign a message. 119.It Fl t Ar keytype 120When deducing the correct key to check a signature, make sure 121the actual key matches 122.Pa /etc/signify/*-keytype.pub . 123.It Fl x Ar sigfile 124The signature file to create or verify. 125The default is 126.Ar message Ns .sig . 127.It Fl z 128Sign and verify 129.Xr gzip 1 130archives, where the signing data 131is embedded in the 132.Xr gzip 1 133header. 134.El 135.Pp 136The key and signature files created by 137.Nm 138have the same format. 139The first line of the file is a free form text comment that may be edited, 140so long as it does not exceed a single line. 141Signature comments will be generated based on the name of the secret 142key used for signing. 143This comment can then be used as a hint for the name of the public key 144when verifying. 145The second line of the file is the actual key or signature base64 encoded. 146.Sh EXIT STATUS 147.Ex -std signify 148It may fail because of one of the following reasons: 149.Pp 150.Bl -bullet -compact 151.It 152Some necessary files do not exist. 153.It 154Entered passphrase is incorrect. 155.It 156The message file was corrupted and its signature does not match. 157.It 158The message file is too large. 159.El 160.Sh EXAMPLES 161Create a new key pair: 162.Dl $ signify -G -p newkey.pub -s newkey.sec 163.Pp 164Sign a file, specifying a signature name: 165.Dl $ signify -S -s key.sec -m message.txt -x msg.sig 166.Pp 167Verify a signature, using the default signature name: 168.Dl $ signify -V -p key.pub -m generalsorders.txt 169.Pp 170Verify a release directory containing 171.Pa SHA256.sig 172and a full set of release files: 173.Bd -literal -offset indent -compact 174$ signify -C -p /etc/signify/openbsd-74-base.pub -x SHA256.sig 175.Ed 176.Pp 177Verify a bsd.rd before an upgrade: 178.Bd -literal -offset indent -compact 179$ signify -C -p /etc/signify/openbsd-74-base.pub -x SHA256.sig bsd.rd 180.Ed 181.Pp 182Sign a gzip archive: 183.Bd -literal -offset indent -compact 184$ signify -Sz -s key-arc.sec -m in.tgz -x out.tgz 185.Ed 186.Pp 187Verify a gzip pipeline: 188.Bd -literal -offset indent -compact 189$ ftp url | signify -Vz -t arc | tar ztf - 190.Ed 191.Sh SEE ALSO 192.Xr gzip 1 , 193.Xr pkg_add 1 , 194.Xr sha256 1 , 195.Xr fw_update 8 , 196.Xr sysupgrade 8 197.Sh HISTORY 198The 199.Nm 200command first appeared in 201.Ox 5.5 . 202.Sh AUTHORS 203.An -nosplit 204.An Ted Unangst Aq Mt tedu@openbsd.org 205and 206.An Marc Espie Aq Mt espie@openbsd.org . 207