NAME
nbsvtool
- create and verify detached signatures of files
SYNOPSIS
nbsvtool
[-v]
[-a anchor-certificates]
[-c certificate-chain]
[-f certificate-file]
[-k private-key-file]
[-u required-key-usage]
command
args ...
DESCRIPTION
nbsvtool
is used to create and verify detached X509 signatures of files.
Private keys and certificates are expected to be PEM encoded,
signatures are in PEM/SMIME format.
Supported commands:
- sign file
-
Sign
file,
placing the signature in
file
.sp7
.
The options
-f
and
-k
are required for this command.
- verify file[ signature]
-
Verify signature for
file.
If
signature
is not specified,
file
.sp7
is used.
- verify-code file[ signature]
-
This is a short cut for verify with the option
-u
code.
Supported options:
- -a anchor-certificates
-
A file containing one or more (concatenated) keys that are considered
trusted.
- -c certificate-chain
-
A file containing additional certificates that will be added to the signature
when creating one.
They will be used to fill missing links in the trust chain when
verifying the signature.
- -f certificate-file
-
A file containing the certificate to use for signing.
The certificate must match the key given by
-k.
- -k private-key-file
-
A file containing the private key to use for signing.
- -u required-key-usage
-
Verify that the extended key-usage attribute in the signing certificate
matches
required-key-usage.
Otherwise, the signature is rejected.
key usage
can be one of:
``ssl-server'',
``ssl-client'',
``code'',
or
``smime''.
- -v
-
Print verbose information about the signing certificate.
EXIT STATUS
EXAMPLES
Create signature file
hello.sp7
for file
hello
.
The private key is found in file
key
,
the matching certificate is in
cert
,
additional certificates from
cert-chain
are included in the created signature.
nbsvtool
-k
key
-f
cert
-c
cert-chain
sign
hello
hello.sp7
Verify that the signature
hello.sp7
is valid for file
hello
and that the signing certificate allows code signing. Certificates
in
anchor-file
are considered trusted, and there must be a certificate chain from one
of those certificates to the signing certificate.
nbsvtool
-a
anchor-file
verify-code
hello
hello.sp7
SEE ALSO
openssl_smime(1)
CAVEATS
As there is currently no default trust anchor, you must explicilty
specify one with
-a,
otherwise no verification can succeed.