NAME
netpgpverify —
standalone program for
digital signature verification
SYNOPSIS
netpgpverify |
[-v]
[-S
ssh-pub-key-file]
[-c
command]
[-k
keyring] file ... |
DESCRIPTION
The
netpgpverify implements digital signature verification. It
is designed to be simple and standalone; no external libraries, except for
libz and
libbz2 are used, in order to
ensure maximum portability.
It is completely rewritten from the version of the program that appeared in
NetBSD 6.0 as part of the
netpgp(1) suite of commands.
The
netpgpverify utility requires a file containing public
keys, commonly called a “keyring”. Digitally-signed information
can be fed to
netpgpverify in two ways: as standard input,
or as files provided on the command line. The public key part of the key which
was used to sign the file must be present, or the signature verification will
fail. Files may be signed in two distinct ways: as text documents, and as
binary files. Text documents modify the contents to add different line-ending
characters, and behave differently at the final byte of the input document.
Binary files are read verbatim, and are not modified in any way.
The
-k command line argument allows a keyring to be specified.
The
-v command line argument prints the version of the
netpgpverify command and then exits.
The
-c argument allows a “command” to be given,
modifying the behaviour of the
netpgpverify command. This
command can take one of three values: “verify” which is also the
default, which verifies the signature on the data; “cat” will also
verify the signature on the data, and, if successfully verified, will display
the verified data on
stdout
; and “dump”
which will dump the individual PGP packets to standard out, along with a
hexadecimal dump of the first part of the contents of each packet. Please note
that the packets from the public key ring will also be dumped using this
command. The key ring packets will be displayed immediately before the packets
in the file being verified.
The
-S argument allows an ssh public key file to be used as
the source of truth for the key. This ssh-key-based signature can be created
using the
netpgp(1) utility.
If a detached signature “.sig” is given on the command line, the
signing information will be retrieved from that file, and the original data is
expected to be found in a file in the same directory with the same name with
the “.sig” suffix removed.
Both text mode signatures, and binary signatures, can be verified by
netpgpverify
SIGNING AND VERIFICATION
Verification of a file's signature is best viewed using the following example:
% netpgpverify -k pubring.gpg NetBSD-6.0_RC1_hashes.asc
Good signature for NetBSD-6.0_RC1_hashes.asc made Thu Aug 23 11:47:50 2012
signature 4096/RSA (Encrypt or Sign) 064973ac4c4a706e 2009-06-23
fingerprint ddee 2bdb 9c98 a0d1 d4fb dbf7 0649 73ac 4c4a 706e
uid NetBSD Security Officer <security-officer@NetBSD.org>
%
EXIT STATUS
The
netpgpverify utility will return 0 for a successful
verification, 1 if the file's signature does not match what was expected, or 2
if any other error occurs.
SEE ALSO
netpgp(1),
zlib(3)
STANDARDS
The
netpgpverify utility is designed to conform to IETF RFC
4880.
HISTORY
The
netpgpverify command first appeared in
NetBSD 7.0.
AUTHORS
Alistair Crooks ⟨agc@NetBSD.org⟩.