Updated: 2022/Sep/29
Please read Privacy Policy. It's for your privacy.
NBSVTOOL(1) General Commands Manual NBSVTOOL(1)
NAME
nbsvtool - create and verify detached signatures of files
SYNOPSIS
nbsvtool [-v] [-a anchor-certificates] [-c certificate-chain]
[-f certificate-file] [-k private-key-file]
[-u required-key-usage] command args ...
DESCRIPTION
nbsvtool is used to create and verify detached X509 signatures of files.
Private keys and certificates are expected to be PEM encoded, signatures
are in PEM/SMIME format.
Supported commands:
sign file Sign file, placing the signature in
file.sp7. The options -f and -k are
required for this command.
verify file [signature] Verify signature for file. If
signature is not specified, file.sp7 is
used.
verify-code file [signature] This is a short cut for verify with the
option -u code.
Supported options:
-a anchor-certificates A file containing one or more
(concatenated) keys that are considered
trusted.
-c certificate-chain A file containing additional certificates
that will be added to the signature when
creating one. They will be used to fill
missing links in the trust chain when
verifying the signature.
-f certificate-file A file containing the certificate to use
for signing. The certificate must match
the key given by -k.
-k private-key-file A file containing the private key to use
for signing.
-u required-key-usage Verify that the extended key-usage
attribute in the signing certificate
matches required-key-usage. Otherwise, the
signature is rejected. key usage can be
one of: "ssl-server", "ssl-client", "code",
or "smime".
-v Print verbose information about the signing
certificate.
EXIT STATUS
The nbsvtool utility exits 0 on success, and >0 if an error occurs.
EXAMPLES
Create signature file hello.sp7 for file hello. The private key is found
in file key, the matching certificate is in cert, additional certificates
from cert-chain are included in the created signature.
nbsvtool -k key -f cert -c cert-chain sign hello hello.sp7
Verify that the signature hello.sp7 is valid for file hello and that the
signing certificate allows code signing. Certificates in anchor-file are
considered trusted, and there must be a certificate chain from one of
those certificates to the signing certificate.
nbsvtool -a anchor-file verify-code hello hello.sp7
SEE ALSO
openssl_smime(1)
CAVEATS
As there is currently no default trust anchor, you must explicilty
specify one with -a, otherwise no verification can succeed.
NetBSD 10.99 March 11, 2009 NetBSD 10.99