netpgpverify(1) - NetBSD Manual Pages

Command:
Section:
Arch:
Collection:
>>>
NETPGPVERIFY(1)         NetBSD General Commands Manual         NETPGPVERIFY(1)


NAME

     netpgpverify -- standalone program for digital signature verification


SYNOPSIS

     netpgpverify [-v] [-S ssh-pub-key-file] [-c command] [-k keyring] file
                  ...


DESCRIPTION

     The netpgpverify implements digital signature verification.  It is
     designed to be simple and standalone; no external libraries, except for
     libz and libbz2 are used, in order to ensure maximum portability.

     It is completely rewritten from the version of the program that appeared
     in NetBSD 6.0 as part of the netpgp(1) suite of commands.

     The netpgpverify utility requires a file containing public keys, commonly
     called a ``keyring''.  Digitally-signed information can be fed to
     netpgpverify in two ways: as standard input, or as files provided on the
     command line.  The public key part of the key which was used to sign the
     file must be present, or the signature verification will fail.  Files may
     be signed in two distinct ways: as text documents, and as binary files.
     Text documents modify the contents to add different line-ending charac-
     ters, and behave differently at the final byte of the input document.
     Binary files are read verbatim, and are not modified in any way.

     The -k command line argument allows a keyring to be specified.

     The -v command line argument prints the version of the netpgpverify com-
     mand and then exits.

     The -c argument allows a ``command'' to be given, modifying the behaviour
     of the netpgpverify command.  This command can take one of three values:
     ``verify'' which is also the default, which verifies the signature on the
     data; ``cat'' will also verify the signature on the data, and, if suc-
     cessfully verified, will display the verified data on stdout; and
     ``dump'' which will dump the individual PGP packets to standard out,
     along with a hexadecimal dump of the first part of the contents of each
     packet.  Please note that the packets from the public key ring will also
     be dumped using this command.  The key ring packets will be displayed
     immediately before the packets in the file being verified.

     The -S argument allows an ssh public key file to be used as the source of
     truth for the key.  This ssh-key-based signature can be created using the
     netpgp(1) utility.

     If a detached signature ``.sig'' is given on the command line, the sign-
     ing information will be retrieved from that file, and the original data
     is expected to be found in a file in the same directory with the same
     name with the ``.sig'' suffix removed.

     Both text mode signatures, and binary signatures, can be verified by
     netpgpverify


SIGNING AND VERIFICATION

     Verification of a file's signature is best viewed using the following
     example:

     % netpgpverify -k pubring.gpg NetBSD-6.0_RC1_hashes.asc
     Good signature for NetBSD-6.0_RC1_hashes.asc made Thu Aug 23 11:47:50 2012
     signature     4096/RSA (Encrypt or Sign) 064973ac4c4a706e 2009-06-23
     fingerprint   ddee 2bdb 9c98 a0d1 d4fb dbf7 0649 73ac 4c4a 706e
     uid           NetBSD Security Officer <security-officer@NetBSD.org>
     %


EXIT STATUS

     The netpgpverify utility will return 0 for a successful verification, 1
     if the file's signature does not match what was expected, or 2 if any
     other error occurs.


SEE ALSO

     netpgp(1), zlib(3)


STANDARDS

     J. Callas, L. Donnerhacke, H. Finney, D. Shaw, and R. Thayer, OpenPGP
     Message Format, RFC 4880, November 2007.


HISTORY

     The netpgpverify command first appeared in NetBSD 7.0.


AUTHORS

     Alistair Crooks <agc@NetBSD.org>.

NetBSD 10.99                     April 3, 2018                    NetBSD 10.99