Updated: 2022/Sep/29

Please read Privacy Policy. It's for your privacy.

NBSVTOOL(1)                 General Commands Manual                NBSVTOOL(1)

     nbsvtool - create and verify detached signatures of files

     nbsvtool [-v] [-a anchor-certificates] [-c certificate-chain]
              [-f certificate-file] [-k private-key-file]
              [-u required-key-usage] command args ...

     nbsvtool is used to create and verify detached X509 signatures of files.
     Private keys and certificates are expected to be PEM encoded, signatures
     are in PEM/SMIME format.

     Supported commands:

     sign file                         Sign file, placing the signature in
                                       file.sp7.  The options -f and -k are
                                       required for this command.

     verify file [signature]           Verify signature for file.  If
                                       signature is not specified, file.sp7 is

     verify-code file [signature]      This is a short cut for verify with the
                                       option -u code.

     Supported options:

     -a anchor-certificates        A file containing one or more
                                   (concatenated) keys that are considered

     -c certificate-chain          A file containing additional certificates
                                   that will be added to the signature when
                                   creating one.  They will be used to fill
                                   missing links in the trust chain when
                                   verifying the signature.

     -f certificate-file           A file containing the certificate to use
                                   for signing.  The certificate must match
                                   the key given by -k.

     -k private-key-file           A file containing the private key to use
                                   for signing.

     -u required-key-usage         Verify that the extended key-usage
                                   attribute in the signing certificate
                                   matches required-key-usage.  Otherwise, the
                                   signature is rejected.  key usage can be
                                   one of: "ssl-server", "ssl-client", "code",
                                   or "smime".

     -v                            Print verbose information about the signing

     The nbsvtool utility exits 0 on success, and >0 if an error occurs.

     Create signature file hello.sp7 for file hello.  The private key is found
     in file key, the matching certificate is in cert, additional certificates
     from cert-chain are included in the created signature.
           nbsvtool -k key -f cert -c cert-chain sign hello hello.sp7

     Verify that the signature hello.sp7 is valid for file hello and that the
     signing certificate allows code signing.  Certificates in anchor-file are
     considered trusted, and there must be a certificate chain from one of
     those certificates to the signing certificate.
           nbsvtool -a anchor-file verify-code hello hello.sp7


     As there is currently no default trust anchor, you must explicilty
     specify one with -a, otherwise no verification can succeed.

NetBSD 9.99                     March 11, 2009                     NetBSD 9.99