Updated: 2022/Sep/29

Please read Privacy Policy. It's for your privacy.


NBSVTOOL(1)                 General Commands Manual                NBSVTOOL(1)

NAME
     nbsvtool - create and verify detached signatures of files

SYNOPSIS
     nbsvtool [-v] [-a anchor-certificates] [-c certificate-chain]
              [-f certificate-file] [-k private-key-file]
              [-u required-key-usage] command args ...

DESCRIPTION
     nbsvtool is used to create and verify detached X509 signatures of files.
     Private keys and certificates are expected to be PEM encoded, signatures
     are in PEM/SMIME format.

     Supported commands:

     sign file                         Sign file, placing the signature in
                                       file.sp7.  The options -f and -k are
                                       required for this command.

     verify file [signature]           Verify signature for file.  If
                                       signature is not specified, file.sp7 is
                                       used.

     verify-code file [signature]      This is a short cut for verify with the
                                       option -u code.

     Supported options:

     -a anchor-certificates        A file containing one or more
                                   (concatenated) keys that are considered
                                   trusted.

     -c certificate-chain          A file containing additional certificates
                                   that will be added to the signature when
                                   creating one.  They will be used to fill
                                   missing links in the trust chain when
                                   verifying the signature.

     -f certificate-file           A file containing the certificate to use
                                   for signing.  The certificate must match
                                   the key given by -k.

     -k private-key-file           A file containing the private key to use
                                   for signing.

     -u required-key-usage         Verify that the extended key-usage
                                   attribute in the signing certificate
                                   matches required-key-usage.  Otherwise, the
                                   signature is rejected.  key usage can be
                                   one of: "ssl-server", "ssl-client", "code",
                                   or "smime".

     -v                            Print verbose information about the signing
                                   certificate.

EXIT STATUS
     The nbsvtool utility exits 0 on success, and >0 if an error occurs.

EXAMPLES
     Create signature file hello.sp7 for file hello.  The private key is found
     in file key, the matching certificate is in cert, additional certificates
     from cert-chain are included in the created signature.
           nbsvtool -k key -f cert -c cert-chain sign hello hello.sp7

     Verify that the signature hello.sp7 is valid for file hello and that the
     signing certificate allows code signing.  Certificates in anchor-file are
     considered trusted, and there must be a certificate chain from one of
     those certificates to the signing certificate.
           nbsvtool -a anchor-file verify-code hello hello.sp7

SEE ALSO
     openssl_smime(1)

CAVEATS
     As there is currently no default trust anchor, you must explicilty
     specify one with -a, otherwise no verification can succeed.

NetBSD 10.99                    March 11, 2009                    NetBSD 10.99