NBSVTOOL(1) BSD General Commands Manual NBSVTOOL(1)NAMEnbsvtool — create and verify detached signatures of files
SYNOPSISnbsvtool [-v] [-a anchor-certificates] [-c certificate-chain]
[-f certificate-file] [-k private-key-file]
[-u required-key-usage] command args ...
DESCRIPTIONnbsvtool is used to create and verify detached X509 signatures of files.
Private keys and certificates are expected to be PEM encoded, signatures
are in PEM/SMIME format.
Supported commands:
sign file Sign file, placing the signature in
file.sp7. The options -f and -k are
required for this command.
verify file [signature] Verify signature for file. If
signature is not specified, file.sp7 is
used.
verify-code file [signature] This is a short cut for verify with the
option -u code.
Supported options:
-a anchor-certificates A file containing one or more (concate‐
nated) keys that are considered trusted.
-c certificate-chain A file containing additional certificates
that will be added to the signature when
creating one. They will be used to fill
missing links in the trust chain when veri‐
fying the signature.
-f certificate-file A file containing the certificate to use
for signing. The certificate must match
the key given by -k.
-k private-key-file A file containing the private key to use
for signing.
-u required-key-usage Verify that the extended key-usage
attribute in the signing certificate
matches required-key-usage. Otherwise, the
signature is rejected. key usage can be
one of: “ssl-server”, “ssl-client”, “code”,
or “smime”.
-v Print verbose information about the signing
certificate.
EXIT STATUS
The nbsvtool utility exits 0 on success, and >0 if an error occurs.
EXAMPLES
Create signature file hello.sp7 for file hello. The private key is found
in file key, the matching certificate is in cert, additional certificates
from cert-chain are included in the created signature.
nbsvtool-k key -f cert -c cert-chain sign hello hello.sp7
Verify that the signature hello.sp7 is valid for file hello and that the
signing certificate allows code signing. Certificates in anchor-file are
considered trusted, and there must be a certificate chain from one of
those certificates to the signing certificate.
nbsvtool-a anchor-file verify-code hello hello.sp7
SEE ALSOopenssl_smime(1)CAVEATS
As there is currently no default trust anchor, you must explicilty spec‐
ify one with -a, otherwise no verification can succeed.
BSD March 11, 2009 BSD