Manual browser: netpgpverify(1)

Section:
Page:
NETPGPVERIFY(1) General Commands Manual NETPGPVERIFY(1)

NAME

netpgpverifystandalone program for digital signature verification

SYNOPSIS

netpgpverify [-v] [-S ssh-pub-key-file] [-c command] [-k keyring] file ...

DESCRIPTION

The netpgpverify implements digital signature verification. It is designed to be simple and standalone; no external libraries, except for libz and libbz2 are used, in order to ensure maximum portability.

It is completely rewritten from the version of the program that appeared in NetBSD 6.0 as part of the netpgp(1) suite of commands.

The netpgpverify utility requires a file containing public keys, commonly called a “keyring”. Digitally-signed information can be fed to netpgpverify in two ways: as standard input, or as files provided on the command line. The public key part of the key which was used to sign the file must be present, or the signature verification will fail. Files may be signed in two distinct ways: as text documents, and as binary files. Text documents modify the contents to add different line-ending characters, and behave differently at the final byte of the input document. Binary files are read verbatim, and are not modified in any way.

The -k command line argument allows a keyring to be specified. The -v command line argument prints the version of the netpgpverify command and then exits. Finally, the -c command specified the command which may be given. This can take one of two values: “verify” which is also the default, which verifies the signature on the data; “cat” will also verify the signature on the data, and, if successfully verified, will display the verified data on stdout. The -S argument allows an ssh public key file to be used as the source of truth for the key. This ssh-key-based signature can be created using the netpgp(1) utility.

If a detached signature “.sig” is given on the command line, the signing information will be retrieved from that file, and the original data is expected to be found in a file in the same directory with the same name with the “.sig” suffix removed.

Both text mode signatures, and binary signatures, can be verified by netpgpverify

SIGNING AND VERIFICATION

Verification of a file's signature is best viewed using the following example:

% netpgpverify -k pubring.gpg NetBSD-6.0_RC1_hashes.asc 
Good signature for NetBSD-6.0_RC1_hashes.asc made Thu Aug 23 11:47:50 2012 
signature     4096/RSA (Encrypt or Sign) 064973ac4c4a706e 2009-06-23 
fingerprint   ddee 2bdb 9c98 a0d1 d4fb dbf7 0649 73ac 4c4a 706e 
uid           NetBSD Security Officer <security-officer@NetBSD.org> 
%

EXIT STATUS

The netpgpverify utility will return 0 for a successful verification, 1 if the file's signature does not match what was expected, or 2 if any other error occurs.

SEE ALSO

netpgp(1), zlib(3)

STANDARDS

The netpgpverify utility is designed to conform to IETF RFC 4880.

HISTORY

The netpgpverify command first appeared in NetBSD 7.0.

AUTHORS

Alistair Crooks <agc@NetBSD.org>.
February 2, 2014 NetBSD 7.0