cryptographically sign and verify files
utility creates and verifies
cryptographic signatures. A signature verifies the integrity of a
. The mode of operation is selected
with the following options:
- Verify a signed checksum list, and then verify the checksum
for each file. If no files are specified, all of them are checked.
sigfile should be the signed output of
- Generate a new key pair.
- Sign the specified message file and create a
- Verify the message and signature match.
The other options are as follows:
- Specify the comment to be added during key generation.
- When signing, embed the message after the signature. When
verifying, extract the message from the signature. (This requires that the
signature was created using -e and creates a
new message file as output.)
- When signing, the file containing the message to sign. When
verifying, the file containing the message to verify. When verifying with
-e, the file to create.
- Do not ask for a passphrase during key generation.
Otherwise, signify will prompt the user for a
passphrase to protect the secret key.
- Public key produced by -G, and
used by -V to check a signature.
- Quiet mode. Suppress informational output.
- Secret (private) key produced by
-G, and used by
-S to sign a message.
- The signature file to create or verify. The default is
The key and signature files created by signify
the same format. The first line of the file is a free form text comment that
may be edited, so long as it does not exceed a single line. The second line of
the file is the actual key or signature base64 encoded.
utility exits 0 on success,
and >0 if an error occurs. It may fail because of one of the
- Some necessary files do not exist.
- Entered passphrase is incorrect.
- The message file was corrupted and its signature does
- The message file is too large.
Create a new key pair:
$ signify -G -p newkey.pub -s
Sign a file, specifying a signature name:
$ signify -S -s key.sec -m message.txt -x
Verify a signature, using the default signature name:
$ signify -V -p key.pub -m
Verify a release directory containing SHA256.sig
and a full set of release files:
$ signify -C -p /etc/signify/openbsd-60-base.pub -x SHA256.sig
Verify a bsd.rd before an upgrade:
$ signify -C -p /etc/signify/openbsd-60-base.pub -x SHA256.sig bsd.rd
command first appeared in