NAME
nbsvtool —
create and verify detached
signatures of files
SYNOPSIS
nbsvtool |
[-v]
[-a
anchor-certificates]
[-c
certificate-chain]
[-f
certificate-file]
[-k
private-key-file]
[-u
required-key-usage]
command args ... |
DESCRIPTION
nbsvtool is used to create and verify detached X509 signatures
of files. Private keys and certificates are expected to be PEM encoded,
signatures are in PEM/SMIME format.
Supported commands:
-
-
- sign
file
- Sign file, placing the signature in
file.sp7. The options
-f and -k are required for this
command.
-
-
- verify
file
[signature]
- Verify signature for file. If
signature is not specified,
file.sp7 is used.
-
-
- verify-code
file
[signature]
- This is a short cut for verify with the option
-u code.
Supported options:
-
-
- -a
anchor-certificates
- A file containing one or more (concatenated) keys that are
considered trusted.
-
-
- -c
certificate-chain
- A file containing additional certificates that will be
added to the signature when creating one. They will be used to fill
missing links in the trust chain when verifying the signature.
-
-
- -f
certificate-file
- A file containing the certificate to use for signing. The
certificate must match the key given by -k.
-
-
- -k
private-key-file
- A file containing the private key to use for signing.
-
-
- -u
required-key-usage
- Verify that the extended key-usage attribute in the signing
certificate matches required-key-usage. Otherwise,
the signature is rejected. key usage can be one of:
“ssl-server”, “ssl-client”, “code”, or
“smime”.
-
-
- -v
- Print verbose information about the signing
certificate.
EXIT STATUS
The
nbsvtool utility exits 0 on success, and >0
if an error occurs.
EXAMPLES
Create signature file
hello.sp7 for file
hello. The private key is found in file
key, the matching certificate is in
cert,
additional certificates from
cert-chain are included in the
created signature.
nbsvtool -k key -f cert -c cert-chain sign
hello hello.sp7
Verify that the signature
hello.sp7 is valid for file
hello and that the signing certificate allows code signing.
Certificates in
anchor-file are considered trusted, and
there must be a certificate chain from one of those certificates to the
signing certificate.
nbsvtool -a anchor-file verify-code hello
hello.sp7
SEE ALSO
openssl_smime(1)
CAVEATS
As there is currently no default trust anchor, you must explicilty specify one
with
-a, otherwise no verification can succeed.