Provided by: signify-openbsd_31-3_amd64 bug

NAME

       signify-openbsd — cryptographically sign and verify files

SYNOPSIS

       signify-openbsd -C [-q] [-p pubkey] [-t keytype] -x sigfile [file ...]
       signify-openbsd -G [-n] [-c comment] -p pubkey -s seckey
       signify-openbsd -S [-enz] [-x sigfile] -s seckey -m message
       signify-openbsd -V [-eqz] [-p pubkey] [-t keytype] [-x sigfile] -m message

DESCRIPTION

       The  signify-openbsd  utility  creates  and  verifies cryptographic signatures.  A signature verifies the
       integrity of a message.  The mode of operation is selected with the following options:

       -C          Verify a signed checksum list, and then verify the checksum for each file.  If no  files  are
                   specified, all of them are checked.  sigfile should be the signed output of sha256(1).

       -G          Generate  a  new  key  pair.   Keynames  should  follow  the  convention  of  keyname.pub and
                   keyname.sec for the public and secret keys, respectively.

       -S          Sign the specified message file and create a signature.

       -V          Verify the message and signature match.

       The other options are as follows:

       -c comment    Specify the comment to be added during key generation.

       -e            When signing, embed the message after the signature.  When verifying, extract  the  message
                     from  the  signature.  (This requires that the signature was created using -e and creates a
                     new message file as output.)

       -m message    When signing, the file containing the message to sign.  When verifying, the file containing
                     the message to verify.  When verifying with -e, the file to create.

       -n            When generating a key pair, do not ask for a passphrase.  Otherwise,  signify-openbsd  will
                     prompt  the user for a passphrase to protect the secret key.  When signing with -z, store a
                     zero time stamp in the gzip(1) header.

       -p pubkey     Public key produced by -G, and used by -V to check a signature.

       -q            Quiet mode.  Suppress informational output.

       -s seckey     Secret (private) key produced by -G, and used by -S to sign a message.

       -t keytype    When deducing the correct key to check a  signature,  make  sure  the  actual  key  matches
                     /etc/signify/*-keytype.pub.

       -x sigfile    The signature file to create or verify.  The default is message.sig.

       -z            Sign and verify gzip(1) archives, where the signing data is embedded in the gzip(1) header.

       The  key and signature files created by signify-openbsd have the same format.  The first line of the file
       is a free form text comment that may be edited, so long as it does not exceed a single  line.   Signature
       comments  will  be generated based on the name of the secret key used for signing.  This comment can then
       be used as a hint for the name of the public key when verifying.  The second line  of  the  file  is  the
       actual key or signature base64 encoded.

EXIT STATUS

       The signify-openbsd utility exits 0 on success, and >0 if an error occurs.  It may fail because of one of
       the following reasons:

          Some necessary files do not exist.
          Entered passphrase is incorrect.
          The message file was corrupted and its signature does not match.
          The message file is too large.

EXAMPLES

       Create a new key pair:
             $ signify-openbsd -G -p newkey.pub -s newkey.sec

       Sign a file, specifying a signature name:
             $ signify-openbsd -S -s key.sec -m message.txt -x msg.sig

       Verify a signature, using the default signature name:
             $ signify-openbsd -V -p key.pub -m generalsorders.txt

       Verify a release directory containing SHA256.sig and a full set of release files:
             $ signify-openbsd -C -p /etc/signify/openbsd-72-base.pub -x SHA256.sig

       Verify a bsd.rd before an upgrade:
             $ signify-openbsd -C -p /etc/signify/openbsd-72-base.pub -x SHA256.sig bsd.rd

       Sign a gzip archive:
             $ signify-openbsd -Sz -s key-arc.sec -m in.tgz -x out.tgz

       Verify a gzip pipeline:
             $ ftp url | signify-openbsd -Vz -t arc | tar ztf -

SEE ALSO

       gzip(1), pkg_add(1), sha256(1), fw_update(8), sysupgrade(8)

HISTORY

       The signify-openbsd command first appeared in OpenBSD 5.5.

AUTHORS

       Ted Unangst <tedu@openbsd.org> and Marc Espie <espie@openbsd.org>.

Debian                                          February 20, 2022                             SIGNIFY-OPENBSD(1)