-.\" $OpenBSD: signify.1,v 1.18 2014/01/12 17:17:12 rpe Exp $
+.\" $OpenBSD: signify.1,v 1.19 2014/01/13 01:40:43 tedu Exp $
.\"
.\"Copyright (c) 2013 Marc Espie <espie@openbsd.org>
.\"Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
.\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.Dd $Mdocdate: January 12 2014 $
+.Dd $Mdocdate: January 13 2014 $
.Dt SIGNIFY 1
.Os
.Sh NAME
.Fl s Ar seckey
.Nm signify
.Fl I
-.Op Fl o Ar sigfile
.Op Fl p Ar pubkey
.Op Fl s Ar seckey
+.Op Fl x Ar sigfile
.Nm signify
.Fl S
.Op Fl e
-.Op Fl o Ar sigfile
+.Op Fl x Ar sigfile
.Fl s Ar seckey
-.Ar message
+.Fl m Ar message
.Nm signify
.Fl V
.Op Fl e
-.Op Fl o Ar sigfile
+.Op Fl x Ar sigfile
.Fl p Ar pubkey
-.Ar message
+.Fl m Ar message
.Sh DESCRIPTION
The
.Nm
-utility creates and verifies cryptographic signatures for
-an input file
+utility creates and verifies cryptographic signatures.
+A signature verifies the integrity of a
.Ar message .
The mode of operation is selected with the following options:
.Bl -tag -width Dsssigfile
.It Fl I
Inspect the specified keys or signature and print their fingerprint.
.It Fl S
-Sign the input file.
+Sign the specified message file and create a signature.
.It Fl V
-Verify the input file and signature match.
+Verify the message and signature match.
.El
.Pp
The other options are as follows:
.It Fl c Ar comment
Specify the comment to be added during key generation.
.It Fl e
-Embed the message after the signature when signing.
-For verification, extract the message from the signature.
+When signing, embed the message after the signature.
+When verifying, extract the message from the signature.
+(This requires that the signature was created using
+.Fl e
+and creates a new message file as output.)
+.It Fl m Ar message
+When signing, the file containing the message to sign.
+When verifying, the file containing the message to verify.
+When verifying with
+.Fl e ,
+the file to create.
.It Fl n
Do not ask for a passphrase during key generation.
Otherwise,
.Nm
-will prompt the user for a passphrase on the terminal.
-.It Fl o Ar sigfile
-The signature file to create or verify.
-The default is
-.Ar message Ns .sig .
+will prompt the user for a passphrase to protect the secret key.
.It Fl p Ar pubkey
Public key produced by
.Fl G ,
and used by
.Fl S
to sign a message.
+.It Fl x Ar sigfile
+The signature file to create or verify.
+The default is
+.Ar message Ns .sig .
.El
.Pp
The key and signature files created by
.Dl $ signify -G -p newkey.pub -s newkey.sec
.Pp
Sign a file, specifying a signature name:
-.Dl $ signify -S -s key.sec -o msg.sig message.txt
+.Dl $ signify -S -s key.sec -m message.txt -x msg.sig
.Pp
Verify a signature, using the default signature name:
-.Dl $ signify -V -p key.pub generalsorders.txt
+.Dl $ signify -V -p key.pub -m generalsorders.txt
.Pp
Verify a release directory containing
-.Pa SHA256.sig ,
-.Pa SHA256 ,
+.Pa SHA256.sig
and a full set of release files:
-.Dl $ signify -V -p /etc/signify/55base.pub SHA256 && sha256 -c SHA256
+.Dl $ signify -V -e -p /etc/signify/55base.pub -x SHA256.sig -m - && sha256 -c -
.Sh SEE ALSO
.Xr fw_update 1 ,
.Xr pkg_add 1 ,
-/* $OpenBSD: signify.c,v 1.30 2014/01/12 21:18:52 tedu Exp $ */
+/* $OpenBSD: signify.c,v 1.31 2014/01/13 01:40:43 tedu Exp $ */
/*
* Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
*
extern char *__progname;
static void
-usage(void)
+usage(const char *error)
{
+ if (error)
+ fprintf(stderr, "%s\n", error);
fprintf(stderr, "usage:"
#ifndef VERIFYONLY
- "\t%1$s -G [-c comment] [-n] -p pubkey -s seckey\n"
- "\t%1$s -I [-o sigfile] [-p pubkey] [-s seckey]\n"
- "\t%1$s -S [-e] [-o sigfile] -s seckey message\n"
+ "\t%1$s -G [-n] [-c comment] -p pubkey -s seckey\n"
+ "\t%1$s -I [-p pubkey] [-s seckey] [-x sigfile]\n"
+ "\t%1$s -S [-e] [-x sigfile] -s seckey -m message\n"
#endif
- "\t%1$s -V [-e] [-o sigfile] -p pubkey message\n",
+ "\t%1$s -V [-e] [-x sigfile] -p pubkey -m message\n",
__progname);
exit(1);
}
{
int fd;
- fd = open(fname, flags, mode);
- if (fd == -1)
- err(1, "open %s", fname);
+ if (strcmp(fname, "-") == 0) {
+ if ((flags & O_WRONLY))
+ fd = dup(STDOUT_FILENO);
+ else
+ fd = dup(STDIN_FILENO);
+ if (fd == -1)
+ err(1, "dup failed");
+ } else {
+ fd = open(fname, flags, mode);
+ if (fd == -1)
+ err(1, "can't open %s for %s", fname,
+ (flags & O_WRONLY) ? "writing" : "reading");
+ }
return fd;
}
int fd, rv;
fd = xopen(filename, O_CREAT|flags|O_NOFOLLOW|O_WRONLY, mode);
- snprintf(header, sizeof(header), "%s%s\n", COMMENTHDR,
- comment);
+ snprintf(header, sizeof(header), "%s%s\n", COMMENTHDR, comment);
writeall(fd, header, strlen(header), filename);
if ((rv = b64_ntop(buf, len, b64, sizeof(b64)-1)) == -1)
errx(1, "b64 encode failed");
rounds = 42;
- while ((ch = getopt(argc, argv, "GISVc:eno:p:s:")) != -1) {
+ while ((ch = getopt(argc, argv, "GISVc:em:n:p:s:x:")) != -1) {
switch (ch) {
#ifndef VERIFYONLY
case 'G':
if (verb)
- usage();
+ usage(NULL);
verb = GENERATE;
break;
case 'I':
if (verb)
- usage();
+ usage(NULL);
verb = INSPECT;
break;
case 'S':
if (verb)
- usage();
+ usage(NULL);
verb = SIGN;
break;
#endif
case 'V':
if (verb)
- usage();
+ usage(NULL);
verb = VERIFY;
break;
case 'c':
case 'e':
embedded = 1;
break;
+ case 'm':
+ msgfile = optarg;
+ break;
case 'n':
rounds = 0;
break;
- case 'o':
- sigfile = optarg;
- break;
case 'p':
pubkeyfile = optarg;
break;
case 's':
seckeyfile = optarg;
break;
+ case 'x':
+ sigfile = optarg;
+ break;
default:
- usage();
+ usage(NULL);
break;
}
}
argc -= optind;
argv += optind;
-#ifdef VERIFYONLY
- if (verb != VERIFY)
-#else
+ if (argc != 0)
+ usage(NULL);
+
if (verb == NONE)
-#endif
- usage();
+ usage(NULL);
#ifndef VERIFYONLY
if (verb == GENERATE) {
- if (!pubkeyfile || !seckeyfile || argc != 0)
- usage();
+ if (!pubkeyfile || !seckeyfile)
+ usage("need pubkey and seckey");
generate(pubkeyfile, seckeyfile, rounds, comment);
} else if (verb == INSPECT) {
- if (argc != 0)
- usage();
inspect(seckeyfile, pubkeyfile, sigfile);
} else
#endif
{
- if (argc != 1)
- usage();
-
- msgfile = argv[0];
+ if (!msgfile)
+ usage("need message");
if (!sigfile) {
+ if (strcmp(msgfile, "-") == 0)
+ errx(1, "must specify sigfile with - message");
if (snprintf(sigfilebuf, sizeof(sigfilebuf), "%s.sig",
msgfile) >= sizeof(sigfilebuf))
errx(1, "path too long");
#ifndef VERIFYONLY
if (verb == SIGN) {
if (!seckeyfile)
- usage();
+ usage("need seckey");
sign(seckeyfile, msgfile, sigfile, embedded);
} else
#endif
if (verb == VERIFY) {
if (!pubkeyfile)
- usage();
+ usage("need pubkey");
verify(pubkeyfile, msgfile, sigfile, embedded);
}
}
projects / openbsd / commitdiff