[u/mdw/catacomb] / catsign.1

.\" -*-nroff-*-
.de VS
.sp 1
.RS
.nf
.ft B
..
.de VE
.ft R
.fi
.RE
.sp 1
..
.ie t \{\
.  if \n(.g \{\
.    fam P
.  \}
.\}
.de hP
.IP
.ft B
\h'-\w'\\$1\ 'u'\\$1\ \c
.ft P
..
.ie t .ds o \(bu
.el .ds o o
.TH catsign 1 "17 March 2005" "Straylight/Edgeware" "Catacomb cryptographic library"
.SH NAME
catsign \- sign and verify messages
.SH SYNOPSIS
.B catsign
.RB [ \-k
.IR keyring ]
.I command
.PP
where
.I command
is one of:
.PP
.B help
.RI [ command ...]
.br
.B show
.RI [ item ...]
.br
.B sign
.RB [ \-adt ]
.RB [ \-k
.IR tag ]
.RB [ \-f
.IR format ]
.RB [ \-o
.IR output ]
.RI [ file ]
.br
.B verify
.RB [ \-aquv ]
.RB [ \-k
.IR tag ]
.RB [ \-f
.IR format ]
.br
	
.RB [ \-o
.IR output ]
.RI [ file
.RI [ message ]]
.br
.B info
.RB [ \-a ]
.RB [ \-f
.IR format ]
.RI [ file ]
.br
.B format
.RB [ \-auABDET ]
.RB [ \-f
.IR format ]
.RB [ \-F
.IR format ]
.br
	
.RB [ \-m
.IR file ]
.RB [ \-o
.IR output ]
.RI [ file
.RI [ message ]]
.br
.B encode
.RB [ \-f
.IR format ]
.RB [ \-b
.IR boundary ]
.RB [ \-o
.IR output ]
.RI [ file ]
.br
.B decode
.RB [ \-f
.IR format ]
.RB [ \-b
.IR boundary ]
.RB [ \-o
.IR output ]
.RI [ file ]
.SH "DESCRIPTION"
The
.B catsign
command signs and verifies messages.  It also works as a simple PEM
encoder and decoder.  It provides a number of subcommands, by which the
various operations may be carried out.
.SS "Global options"
Before the command name,
.I "global options"
may be given.  The following global options are supported:
.TP
.BR "\-h, \-\-help " [ \fIcommand ...]
Writes a brief summary of
.BR catsign 's
various options to standard output, and returns a successful exit
status.  With command names, gives help on those commands.
.TP
.B "\-v, \-\-version"
Writes the program's version number to standard output, and returns a
successful exit status.
.TP
.B "\-u, \-\-usage"
Writes a very terse command line summary to standard output, and returns
a successful exit status.
.TP
.BI "\-k, \-\-keyring " file
Names the keyring file which
.B key
is to process.  The default keyring, used if this option doesn't specify
one, is the file named
.B keyring
in the current directory.  See
.BR key (1)
and
.BR keyring (5)
for more details about keyring files.
.SH "KEY SETUP"
Algorithms to be used with a particular key are described by attributes
on the key, or its type.  The
.B catsign
command deals with signing keys.  (Note that
.B catsign
uses signing keys in the same way as 
.BR catcrypt (1).)
.PP
A
.I sigalgspec
has the form
.IR sig \c
.RB [ / \c
.IR hash ].
If a
.B sig
attribute is present on the key, then it must have this form; otherwise,
the key's type must have the form
.BI ccsig- \c
.IR sigalgspec .
Algorithm selections are taken from appropriately-named attributes, or,
failing that, from the
.IR sigalgspec .
.PP
The signature algorithm is chosen according to the setting of
.I sig
as follows.  Run
.B catsign show sig
for a list of supported signature algorithms.
.TP
.B rsapkcs1
This is almost the same as the RSASSA-PKCS1-v1_5 algorithm described in
RFC3447; the difference is that the hash is left bare rather than being
wrapped in a DER-encoded 
.B DigestInfo
structure.  This doesn't affect security since the key can only be used
with the one hash function anyway, and dropping the DER wrapping permits
rapid adoption of new hash functions.  Regardless, use of this algorithm
is not recommended, since the padding method has been shown vulnerable
to attack.  Use the
.B rsa
algorithm of the
.B key add
command (see
.BR key (1))
to generate the key.
.TP
.B rsapss
This is the RSASSA-PSS algorithm described in RFC3447.  It is the
preferred RSA-based signature scheme.  Use the
.B rsa
algorithm of the
.B key add
command (see
.BR key (1))
to generate the key.
.TP
.B dsa
This is the DSA algorithm described in FIPS180-1 and FIPS180-2.    Use the
.B dsa
algorithm of the
.B key add
command (see
.BR key (1))
to generate the key.
.TP
.B ecdsa
This is the ECDSA algorithm described in ANSI X9.62 and FIPS180-2.  Use
the
.B ec
algorithm of the
.B key add
command (see
.BR key (1))
to generate the key.
.TP
.B kcdsa
This is the revised KCDSA (Korean Certificate-based Digital Signature
Algorithm) described in
.I The Revised Version of KCDSA
.RB ( http://dasan.sejong.ac.kr/~chlim/pub/kcdsa1.ps ).
Use the
.B dh
algorithm of the
.B key add
command with the
.B \-LS
options (see
.BR key (1))
to generate the key.
.TP
.B eckcdsa
This is an unofficial elliptic-curve analogue of the KCDSA algorithm.
Use the
.B ec
algorithm of the
.B key add
command (see
.BR key (1))
to generate the key.
.PP
As well as the signature algorithm itself, a hash function is used.
This is taken from the
.B hash
attribute on the key, or, failing that, from the
.I hash
specified in the
.IR sigalgspec ,
or, if that is absent, determined by the signature algorithm as follows.
.hP \*o
For
.BR rsapkcs1 ,
.BR rsapss ,
.BR dsa ,
and
.BR ecdsa ,
the default hash function is
.BR sha .
.hP \*o
For
.BR kcdsa 
and
.BR eckcdsa ,
the default hash function is
.BR has160 .
.PP
Run
.B catsign show hash
for a list of supported hash functions.
.SH "ENCODINGS"
Two encodings for the ciphertext are supported.
.TP
.B binary
The raw format, which has the benefit of being smaller, but needs to be
attached to mail messages and generally handled with care.
.TP
.B pem
PEM-encapsulated Base-64 encoded text.  This format can be included
directly in email and picked out again automatically; but there is a
4-to-3 data expansion as a result.
.SH "SIGNATURE FORMATS"
There are two basic signature formats understood by
.BR catsign .
.hP \*o
Embedded signatures include (embed) the message they sign; hence they're
complete in and of themselves.  The
.B catsign
program extracts the message during signature verification.
.hP \*o
Detached signatures are separate from the messages they sign, and both
the original file and the signature are required for a successful
verification.
.PP
Another important distinction is whether the message data is considered
to be plain text or raw binary data.
.hP \*o
When dealing with plain text,
.B catsign
allows a limited quantity of leeway in the messages it processes.  It
ignores trailing whitespace on a line, including stray carriage-returns,
which may appear if Windows boxes have had their way with the data.  It
also appends a final newline if there wasn't one before.  In embedded
signatures, the text is left unencoded, so that the message is readable.
.hP \*o
Binary files are preserved completely, and no variation whatever is
permitted.
.PP
The
.VS
catsign format
.VE
command can convert between detached and embedded signatures; it cannot
convert between binary and text mode signatures.  (The data actually
signed includes a flag saying whether the message is textual.  The
rationale here is that what looks like an ASCII space before a newline
may be devastatingly significant in a binary data file, and if a message
is signed as raw binary then no changes whatever should be allowed.)
.SH "COMMAND REFERENCE"
.SS help
The
.B help
command behaves exactly as the
.B \-\-help
option.  With no arguments, it shows an overview of
.BR catsign 's
options; with arguments, it describes the named subcommands.
.SS show
The
.B show
command prints various lists of tokens understood by
.BR catsign .
With no arguments, it prints all of the lists; with arguments, it prints
just the named lists, in order.  The recognized lists can be enumerated
using the
.VS
catsign show list
.VE
command.  The lists are as follows.
.TP
.B list
The lists which can be enumerated by the
.B show
command.
.TP
.B sig
The signature algorithms which can be used in a signing key's
.B sig
attribute.
.TP
.B hash
The hash functions which can be used in a key's
.B hash
attribute.
.TP
.B enc
The encodings which can be applied to encrypted messages; see 
.B ENCODINGS
above.
.SS sign
The
.B sign
command signs a message and writes out an appropriately-encoded
signature.  By default, it reads a message from standard input and
writes the signature to standard output.  If a filename argument is
given, this file is read instead.
.PP
The following options are recognized.
.TP
.B "\-a, \-\-armour"
Produce ASCII-armoured output.  This is equivalent to specifying
.BR "\-f pem" .
The variant spelling
.B "\-\-armor"
is also accepted.
.TP
.B "\-b, \-\-binary"
Read and sign the input as binary data.  The default is to treat the
input as text.
.TP
.B "\-d, \-\-detach"
Produce a detached signature.  The default is to produce a signature
with embedded message.
.TP
.BI "\-f, \-\-format " format
Produce output encoded according to
.IR format .
.TP
.BI "\-k, \-\-key " tag
Use the signing key named
.I tag
in the current keyring; the default key is
.BR ccsig .
.TP
.BI "\-o, \-\-ouptut " file
Write output to
.I file
rather than to standard output.
.TP
.B "\-t, \-\-text"
Read and sign the input as text.  This is the default.
.SS verify
The
.B verify
command checks a signature's validity, producing as output information
about the signature and the signed message.
.PP
The first non-option argument is the name of the file containing the
signature data; this may be omitted or 
.RB ` \- '
to indicate that the signature be read from standard input.  The second
non-option argument, if any, is the name of the file to read the message
from, if the signature is detached.  An error is reported if a message
file is specified but the signature contains an embedded message
already; if the signature is detached but no filename is given, then the
message is expected on stdin (immediately after the signature, if any).
.TP
.B "\-a, \-\-armour"
Read ASCII-armoured input.  This is equivalent to specifying
.BR "\-f pem" .
The variant spelling
.B "\-\-armor"
is also accepted.
.TP
.B "\-b, \-\-buffer"
Buffer the message until the signature is verified.  This is forced on
if output is to stdout, but is always available as an option.
.TP
.BI "\-f, \-\-format " format
Read input encoded according to
.IR format .
.TP
.B "\-v, \-\-verbose"
Produce more verbose messages.  See below for the messages produced
during decryption.  The default verbosity level is 1.  (Currently this
is the most verbose setting.  This might not be the case always.)
.B "\-q, \-\-quiet"
Produce fewer messages.
.TP
.BI "\-k, \-\-key " tag
Usually
.B catsign
uses the signature header to work out which key to use to verify a
signature.  Using this option causes verification to fail unless the
signature header specifies the key named
.IR tag .
.TP
.B "\-u, \-\-utc"
Show the datestamp in the signature in UTC rather than (your) local
time.  The synonym
.B \-\-gmt
is also accepted.
.TP
.BI "\-o, \-\-output " file
Write the verified message to
.IR file .
The file is written in text or binary
mode as appropriate.  The default is to write the message to standard
output unless verifying a detached signature, in which case nothing is
written.
.PP
Output is written to standard output in a machine-readable format.
Major problems cause the program to write a diagnostic to standard error
and exit nonzero as usual.  The quantity of output varies depending on
the verbosity level and whether the message is also being written to
standard output.  Output lines begin with a keyword:
.TP
.BI "FAIL " reason
An error prevented verification.  The program will exit nonzero.
.TP
.BI "WARN " reason
.B catsign
encountered a situation which may or may not invalidate the
verification.
.TP
.BI "OK " message
Verification was successful.  This is only produced if the message is
being sent somewhere other than standard output.
.TP
.B "DATA"
The message follows, starting just after the next newline character or
sequence.  This is only produced if the message is being written to
standard output.
.TP
.BI "INFO " note
Any other information.
.PP
The information written at the various verbosity levels is as follows.
.hP 0.
No output.  Watch the exit status.
.hP 1.
All messages.
.PP
.B Warning!
All output written has been checked for authenticity.  However, output
can fail madway through for many reasons, and the resulting message may
therefore be truncated.  Don't rely on the output being complete until 
.B OK is printed or
.B catsign verify
exits successfully.
.SS info
The
.B info
command analyses a signature without verifying it, and prints
interesting information about it.  This might be useful for diagnostic
purposes.  No keys are needed for this operation, though you get more
useful information if you have them.
.PP
If a non-option argument is given, and it is not
.RB ` \- ',
then it is taken to name the file containing the signature to parse;
otherwise a signature is read from standard input.
.PP
The following options are recognized.
.TP
.B "\-a, \-\-armour"
Read ASCII-armoured input.  This is equivalent to specifying
.BR "\-f pem" .
The variant spelling
.B "\-\-armor"
is also accepted.
.TP
.BI "\-f, \-\-format " format
Read input encoded according to
.IR format .
.TP
.B "\-u, \-\-utc"
Show the datestamp in the signature in UTC rather than (your) local
time.  The synonym
.B \-\-gmt
is also accepted.
.PP
A description of the signature block is produced on standard output; it
is mostly machine-readable.  The first word on each line explains what
kind of output it is.
.TP
.BI "BAD " message
The signature data is invalid and cannot be parsed.
.TP
.BI "WARN " message
Something is wrong with the data, but isn't fatal.
.TP
.BI "NOTE " message
An environmental problem means that the information isn't as helpful as
it might be.  For example, the keyring file can't be opened, so we don't
know whether the verification key is there.
.TP
.BI "INFO flags " flags
Describes the flags set in the signature header.  The
.I flags
are a list of flags, one per word, preceded by a
.RB ` ! '
if the flag is clear.
.TP
.BI "INFO expected-flags " flags
If the PEM boundary string didn't match the actual signature data then
this line is output, listing the expected flags and their settings.
Problems with boundary mismatches can be resolved using the
.B format
command.
.TP
.BI "INFO date " yyyy "\-" mm "\-" dd " " hh ":" mm ":" ss " " tz
Signature was (allegedly!) made at the given time and date.  If the
.B \-u
option was given, this will be in UTC.
.TP
.BI "INFO key " tag
Signature was (allegedly!) made using the key
.IR tag ,
which is present in the current keyring.
.TP
.BI "INFO unknown-key " keyid
Signature was (allegedly!) made using the key with id
.IR keyid
which is not in the current keyring (or the keyring wasn't found).
.SS format
The
.B format
command translates signatures between the various supported formats.
This is a (slightly) more complex operation than re-encoding, though it
does not require any cryptographic operations.
.PP
The first non-option argument is the name of the file containing the
signature data; this may be omitted or 
.RB ` \- '
to indicate that the signature be read from standard input.  The second
non-option argument, if any, is the name of the file to read the message
from, if the signature is detached.  An error is reported if a message
file is specified but the signature contains an embedded message
already; if the signature is detached but no filename is given, then the
message is expected on stdin (immediately after the signature, if any).
.PP
The options follow a rough convention: options describing the input
format are lower-case and options specifying the output format are
upper-case.  The following options are recognized.
.TP "\-a, \-\-armour-in"
Read ASCII-armoured input.  This is equivalent to specifying
.BR "\-f pem" .
The variant spelling
.B "\-\-armor"
is also accepted.
.TP "\-A, \-\-armour-out"
Produce ASCII-armoured output.  This is equivalent to specifying
.BR "\-F pem" .
The variant spelling
.B "\-\-armor-out"
is also accepted.
.TP
.B "\-D, \-\-detach"
Produce a detached signature.  This may be used to detach a signature
from an embedded message.
.TP
.B "\-E, \-\-embed"
Produce a signature with embedded message.  This may be used to
reattach a message to its detached signature.
.TP
.BI "\-f, \-\-format-in " format
Read input encoded according to
.IR format .
.TP
.BI "\-F, \-\-format-out " format
Produce output encoded according to
.IR format .
.TP
.BI "\-m, \-\-message " file
Write the message to
.IR file .
If
.I file
is
.RB ` \- '
then write the message to standard output.  Don't send the message and
signature to the same place because it doesn't work.
.TP
.BI "\-o, \-\-output " file
Write the signature to
.IR file .
If no
.B \-m
or
.B \-o
option is given, a signature is written to standard output.
.SS "encode"
The
.B encode
command encodes an input file according to one of the encodings
described above in
.BR ENCODINGS .
The input is read from the 
.I file
given on the command line, or from standard input if none is specified.
Options provided are:
.TP
.BI "\-f, \-\-format " format
Produce output in
.IR format .
Run
.B catsign show enc
for a list of encoding formats.
.TP
.BI "\-b, \-\-boundary " label
Set the PEM boundary string to
.IR label ;
i.e., assuming we're encoding in PEM format, the output will have
.BI "\-\-\-\-\-BEGIN " label "\-\-\-\-\-"
at the top and
.BI "\-\-\-\-\-END " label "\-\-\-\-\-"
at the bottom.  The default
.I label
is
.BR MESSAGE .
.TP
.BI "\-o, \-\-output " file
Write output to
.I file
instead of to standard output.
.SS "decode"
The
.B decode
command decodes an input file encoded according to one of the encodings
described above in
.BR ENCODINGS .
The input is read from the 
.I file
given on the command line, or from standard input if none is specified.
Options provided are:
.TP
.BI "\-f, \-\-format " format
Decode input in
.IR format .
Run
.B catsign show enc
for a list of encoding formats.
.TP
.BI "\-b, \-\-boundary " label
Set the PEM boundary string to
.IR label ;
i.e., assuming we're encoding in PEM format, start processing input
between
.BI "\-\-\-\-\-BEGIN " label "\-\-\-\-\-"
and 
.BI "\-\-\-\-\-END " label "\-\-\-\-\-"
lines.  Without this option,
.B catsign
will start reading at the first plausible boundary string, and continue
processing until it reaches the matching end boundary.
.TP
.BI "\-o, \-\-output " file
Write output to
.I file
instead of to standard output.
.SH "BUGS"
The trailing-whitespace deletion doesn't work for more than 32K of
whitespace.  I don't think this is a big problem, really.
.PP
The
.B format
command does something unhelpful if message and signature are sent to
the same file.
.SH "SEE ALSO"
.BR key (1),
.BR catcrypt (1),
.BR dsig (1),
.BR hashsum (1),
.BR keyring (5).
.SH AUTHOR
Mark Wooding, <mdw@nsict.org>
Commit	Line	Data
fa54fe1e	1	.\" --nroff--
	2	.de VS
	3	.sp 1
	4	.RS
	5	.nf
	6	.ft B
	7	..
	8	.de VE
	9	.ft R
	10	.fi
	11	.RE
	12	.sp 1
	13	..
	14	.ie t \{\
	15	. if \n(.g \{\
	16	. fam P
	17	. \}
	18	.\}
	19	.de hP
	20	.IP
	21	.ft B
	22	\h'-\w'\\$1\ 'u'\\$1\ \c
	23	.ft P
	24	..
	25	.ie t .ds o \(bu
	26	.el .ds o o
	27	.TH catsign 1 "17 March 2005" "Straylight/Edgeware" "Catacomb cryptographic library"
	28	.SH NAME
	29	catsign \- sign and verify messages
	30	.SH SYNOPSIS
	31	.B catsign
	32	.RB [ \-k
	33	.IR keyring ]
	34	.I command
	35	.PP
	36	where
	37	.I command
	38	is one of:
	39	.PP
	40	.B help
	41	.RI [ command ...]
	42	.br
	43	.B show
	44	.RI [ item ...]
	45	.br
	46	.B sign
	47	.RB [ \-adt ]
	48	.RB [ \-k
	49	.IR tag ]
	50	.RB [ \-f
	51	.IR format ]
	52	.RB [ \-o
	53	.IR output ]
	54	.RI [ file ]
	55	.br
	56	.B verify
	57	.RB [ \-aquv ]
	58	.RB [ \-k
	59	.IR tag ]
	60	.RB [ \-f
	61	.IR format ]
	62	.br
	63
	64	.RB [ \-o
65	.IR output ]
66	.RI [ file
67	.RI [ message ]]
68	.br
69	.B info
70	.RB [ \-a ]
71	.RB [ \-f
72	.IR format ]
73	.RI [ file ]
74	.br
75	.B format
76	.RB [ \-auABDET ]
77	.RB [ \-f
78	.IR format ]
79	.RB [ \-F
80	.IR format ]
81	.br
82
83	.RB [ \-m
84	.IR file ]
85	.RB [ \-o
86	.IR output ]
87	.RI [ file
88	.RI [ message ]]
89	.br
90	.B encode
91	.RB [ \-f
92	.IR format ]
93	.RB [ \-b
94	.IR boundary ]
95	.RB [ \-o
96	.IR output ]
97	.RI [ file ]
98	.br
99	.B decode
100	.RB [ \-f
101	.IR format ]
102	.RB [ \-b
103	.IR boundary ]
104	.RB [ \-o
105	.IR output ]
106	.RI [ file ]
107	.SH "DESCRIPTION"
108	The
109	.B catsign
110	command signs and verifies messages. It also works as a simple PEM
111	encoder and decoder. It provides a number of subcommands, by which the
112	various operations may be carried out.
113	.SS "Global options"
114	Before the command name,
115	.I "global options"
116	may be given. The following global options are supported:
117	.TP
118	.BR "\-h, \-\-help " [ \fIcommand ...]
119	Writes a brief summary of
120	.BR catsign 's
121	various options to standard output, and returns a successful exit
122	status. With command names, gives help on those commands.
123	.TP
124	.B "\-v, \-\-version"
125	Writes the program's version number to standard output, and returns a
126	successful exit status.
127	.TP
128	.B "\-u, \-\-usage"
129	Writes a very terse command line summary to standard output, and returns
130	a successful exit status.
131	.TP
132	.BI "\-k, \-\-keyring " file
133	Names the keyring file which
134	.B key
135	is to process. The default keyring, used if this option doesn't specify
136	one, is the file named
137	.B keyring
138	in the current directory. See
139	.BR key (1)
140	and
141	.BR keyring (5)
142	for more details about keyring files.
143	.SH "KEY SETUP"
144	Algorithms to be used with a particular key are described by attributes
145	on the key, or its type. The
146	.B catsign
147	command deals with signing keys. (Note that
148	.B catsign
149	uses signing keys in the same way as
150	.BR catcrypt (1).)
151	.PP
152	A
153	.I sigalgspec
154	has the form
155	.IR sig \c
156	.RB [ / \c
157	.IR hash ].
158	If a
159	.B sig
160	attribute is present on the key, then it must have this form; otherwise,
161	the key's type must have the form
162	.BI ccsig- \c
163	.IR sigalgspec .
164	Algorithm selections are taken from appropriately-named attributes, or,
165	failing that, from the
166	.IR sigalgspec .
167	.PP
168	The signature algorithm is chosen according to the setting of
169	.I sig
170	as follows. Run
171	.B catsign show sig
172	for a list of supported signature algorithms.
173	.TP
174	.B rsapkcs1
175	This is almost the same as the RSASSA-PKCS1-v1_5 algorithm described in
176	RFC3447; the difference is that the hash is left bare rather than being
177	wrapped in a DER-encoded
178	.B DigestInfo
179	structure. This doesn't affect security since the key can only be used
180	with the one hash function anyway, and dropping the DER wrapping permits
181	rapid adoption of new hash functions. Regardless, use of this algorithm
182	is not recommended, since the padding method has been shown vulnerable
183	to attack. Use the
184	.B rsa
185	algorithm of the
186	.B key add
187	command (see
188	.BR key (1))
189	to generate the key.
190	.TP
191	.B rsapss
192	This is the RSASSA-PSS algorithm described in RFC3447. It is the
193	preferred RSA-based signature scheme. Use the
194	.B rsa
195	algorithm of the
196	.B key add
197	command (see
198	.BR key (1))
199	to generate the key.
200	.TP
201	.B dsa
202	This is the DSA algorithm described in FIPS180-1 and FIPS180-2. Use the
203	.B dsa
204	algorithm of the
205	.B key add
206	command (see
207	.BR key (1))
208	to generate the key.
209	.TP
210	.B ecdsa
211	This is the ECDSA algorithm described in ANSI X9.62 and FIPS180-2. Use
212	the
213	.B ec
214	algorithm of the
215	.B key add
216	command (see
217	.BR key (1))
218	to generate the key.
219	.TP
220	.B kcdsa
221	This is the revised KCDSA (Korean Certificate-based Digital Signature
222	Algorithm) described in
223	.I The Revised Version of KCDSA
224	.RB ( http://dasan.sejong.ac.kr/~chlim/pub/kcdsa1.ps ).
225	Use the
226	.B dh
227	algorithm of the
228	.B key add
229	command with the
230	.B \-LS
231	options (see
232	.BR key (1))
233	to generate the key.
234	.TP
235	.B eckcdsa
236	This is an unofficial elliptic-curve analogue of the KCDSA algorithm.
237	Use the
238	.B ec
239	algorithm of the
240	.B key add
241	command (see
242	.BR key (1))
243	to generate the key.
244	.PP
245	As well as the signature algorithm itself, a hash function is used.
246	This is taken from the
247	.B hash
248	attribute on the key, or, failing that, from the
249	.I hash
250	specified in the
251	.IR sigalgspec ,
252	or, if that is absent, determined by the signature algorithm as follows.
253	.hP \*o
254	For
255	.BR rsapkcs1 ,
256	.BR rsapss ,
257	.BR dsa ,
258	and
259	.BR ecdsa ,
260	the default hash function is
261	.BR sha .
262	.hP \*o
263	For
264	.BR kcdsa
265	and
266	.BR eckcdsa ,
267	the default hash function is
268	.BR has160 .
269	.PP
270	Run
271	.B catsign show hash
272	for a list of supported hash functions.
273	.SH "ENCODINGS"
274	Two encodings for the ciphertext are supported.
275	.TP
276	.B binary
277	The raw format, which has the benefit of being smaller, but needs to be
278	attached to mail messages and generally handled with care.
279	.TP
280	.B pem
281	PEM-encapsulated Base-64 encoded text. This format can be included
282	directly in email and picked out again automatically; but there is a
283	4-to-3 data expansion as a result.
284	.SH "SIGNATURE FORMATS"
285	There are two basic signature formats understood by
286	.BR catsign .
287	.hP \*o
288	Embedded signatures include (embed) the message they sign; hence they're
289	complete in and of themselves. The
290	.B catsign
291	program extracts the message during signature verification.
292	.hP \*o
293	Detached signatures are separate from the messages they sign, and both
294	the original file and the signature are required for a successful
295	verification.
296	.PP
297	Another important distinction is whether the message data is considered
298	to be plain text or raw binary data.
299	.hP \*o
300	When dealing with plain text,
301	.B catsign
302	allows a limited quantity of leeway in the messages it processes. It
303	ignores trailing whitespace on a line, including stray carriage-returns,
304	which may appear if Windows boxes have had their way with the data. It
305	also appends a final newline if there wasn't one before. In embedded
306	signatures, the text is left unencoded, so that the message is readable.
307	.hP \*o
308	Binary files are preserved completely, and no variation whatever is
309	permitted.
310	.PP
311	The
312	.VS
313	catsign format
314	.VE
315	command can convert between detached and embedded signatures; it cannot
316	convert between binary and text mode signatures. (The data actually
317	signed includes a flag saying whether the message is textual. The
318	rationale here is that what looks like an ASCII space before a newline
319	may be devastatingly significant in a binary data file, and if a message
320	is signed as raw binary then no changes whatever should be allowed.)
321	.SH "COMMAND REFERENCE"
322	.SS help
323	The
324	.B help
325	command behaves exactly as the
326	.B \-\-help
327	option. With no arguments, it shows an overview of
328	.BR catsign 's
329	options; with arguments, it describes the named subcommands.
330	.SS show
331	The
332	.B show
333	command prints various lists of tokens understood by
334	.BR catsign .
335	With no arguments, it prints all of the lists; with arguments, it prints
336	just the named lists, in order. The recognized lists can be enumerated
337	using the
338	.VS
339	catsign show list
340	.VE
341	command. The lists are as follows.
342	.TP
343	.B list
344	The lists which can be enumerated by the
345	.B show
346	command.
347	.TP
348	.B sig
349	The signature algorithms which can be used in a signing key's
350	.B sig
351	attribute.
352	.TP
353	.B hash
354	The hash functions which can be used in a key's
355	.B hash
356	attribute.
357	.TP
358	.B enc
359	The encodings which can be applied to encrypted messages; see
360	.B ENCODINGS
361	above.
362	.SS sign
363	The
364	.B sign
365	command signs a message and writes out an appropriately-encoded
366	signature. By default, it reads a message from standard input and
367	writes the signature to standard output. If a filename argument is
368	given, this file is read instead.
369	.PP
370	The following options are recognized.
371	.TP
372	.B "\-a, \-\-armour"
373	Produce ASCII-armoured output. This is equivalent to specifying
374	.BR "\-f pem" .
375	The variant spelling
376	.B "\-\-armor"
377	is also accepted.
378	.TP
379	.B "\-b, \-\-binary"
380	Read and sign the input as binary data. The default is to treat the
381	input as text.
382	.TP
383	.B "\-d, \-\-detach"
384	Produce a detached signature. The default is to produce a signature
385	with embedded message.
386	.TP
387	.BI "\-f, \-\-format " format
388	Produce output encoded according to
389	.IR format .
390	.TP
391	.BI "\-k, \-\-key " tag
392	Use the signing key named
393	.I tag
394	in the current keyring; the default key is
395	.BR ccsig .
396	.TP
397	.BI "\-o, \-\-ouptut " file
398	Write output to
399	.I file
400	rather than to standard output.
401	.TP
402	.B "\-t, \-\-text"
403	Read and sign the input as text. This is the default.
404	.SS verify
405	The
406	.B verify
407	command checks a signature's validity, producing as output information
408	about the signature and the signed message.
409	.PP
410	The first non-option argument is the name of the file containing the
411	signature data; this may be omitted or
412	.RB ` \- '
413	to indicate that the signature be read from standard input. The second
414	non-option argument, if any, is the name of the file to read the message
415	from, if the signature is detached. An error is reported if a message
416	file is specified but the signature contains an embedded message
417	already; if the signature is detached but no filename is given, then the
418	message is expected on stdin (immediately after the signature, if any).
419	.TP
420	.B "\-a, \-\-armour"
421	Read ASCII-armoured input. This is equivalent to specifying
422	.BR "\-f pem" .
423	The variant spelling
424	.B "\-\-armor"
425	is also accepted.
426	.TP
427	.B "\-b, \-\-buffer"
428	Buffer the message until the signature is verified. This is forced on
429	if output is to stdout, but is always available as an option.
430	.TP
431	.BI "\-f, \-\-format " format
432	Read input encoded according to
433	.IR format .
434	.TP
435	.B "\-v, \-\-verbose"
436	Produce more verbose messages. See below for the messages produced
437	during decryption. The default verbosity level is 1. (Currently this
438	is the most verbose setting. This might not be the case always.)
439	.B "\-q, \-\-quiet"
440	Produce fewer messages.
441	.TP
442	.BI "\-k, \-\-key " tag
443	Usually
444	.B catsign
445	uses the signature header to work out which key to use to verify a
446	signature. Using this option causes verification to fail unless the
447	signature header specifies the key named
448	.IR tag .
449	.TP
450	.B "\-u, \-\-utc"
451	Show the datestamp in the signature in UTC rather than (your) local
452	time. The synonym
453	.B \-\-gmt
454	is also accepted.
455	.TP
456	.BI "\-o, \-\-output " file
457	Write the verified message to
458	.IR file .
459	The file is written in text or binary
460	mode as appropriate. The default is to write the message to standard
461	output unless verifying a detached signature, in which case nothing is
462	written.
463	.PP
464	Output is written to standard output in a machine-readable format.
465	Major problems cause the program to write a diagnostic to standard error
466	and exit nonzero as usual. The quantity of output varies depending on
467	the verbosity level and whether the message is also being written to
468	standard output. Output lines begin with a keyword:
469	.TP
470	.BI "FAIL " reason
471	An error prevented verification. The program will exit nonzero.
472	.TP
473	.BI "WARN " reason
474	.B catsign
475	encountered a situation which may or may not invalidate the
476	verification.
477	.TP
478	.BI "OK " message
479	Verification was successful. This is only produced if the message is
480	being sent somewhere other than standard output.
481	.TP
482	.B "DATA"
483	The message follows, starting just after the next newline character or
484	sequence. This is only produced if the message is being written to
485	standard output.
486	.TP
487	.BI "INFO " note
488	Any other information.
489	.PP
490	The information written at the various verbosity levels is as follows.
491	.hP 0.
492	No output. Watch the exit status.
493	.hP 1.
494	All messages.
495	.PP
496	.B Warning!
497	All output written has been checked for authenticity. However, output
498	can fail madway through for many reasons, and the resulting message may
499	therefore be truncated. Don't rely on the output being complete until
500	.B OK is printed or
501	.B catsign verify
502	exits successfully.
503	.SS info
504	The
505	.B info
506	command analyses a signature without verifying it, and prints
507	interesting information about it. This might be useful for diagnostic
508	purposes. No keys are needed for this operation, though you get more
509	useful information if you have them.
510	.PP
511	If a non-option argument is given, and it is not
512	.RB ` \- ',
513	then it is taken to name the file containing the signature to parse;
514	otherwise a signature is read from standard input.
515	.PP
516	The following options are recognized.
517	.TP
518	.B "\-a, \-\-armour"
519	Read ASCII-armoured input. This is equivalent to specifying
520	.BR "\-f pem" .
521	The variant spelling
522	.B "\-\-armor"
523	is also accepted.
524	.TP
525	.BI "\-f, \-\-format " format
526	Read input encoded according to
527	.IR format .
528	.TP
529	.B "\-u, \-\-utc"
530	Show the datestamp in the signature in UTC rather than (your) local
531	time. The synonym
532	.B \-\-gmt
533	is also accepted.
534	.PP
535	A description of the signature block is produced on standard output; it
536	is mostly machine-readable. The first word on each line explains what
537	kind of output it is.
538	.TP
539	.BI "BAD " message
540	The signature data is invalid and cannot be parsed.
541	.TP
542	.BI "WARN " message
543	Something is wrong with the data, but isn't fatal.
544	.TP
545	.BI "NOTE " message
546	An environmental problem means that the information isn't as helpful as
547	it might be. For example, the keyring file can't be opened, so we don't
548	know whether the verification key is there.
549	.TP
550	.BI "INFO flags " flags
551	Describes the flags set in the signature header. The
552	.I flags
553	are a list of flags, one per word, preceded by a
554	.RB ` ! '
555	if the flag is clear.
556	.TP
557	.BI "INFO expected-flags " flags
558	If the PEM boundary string didn't match the actual signature data then
559	this line is output, listing the expected flags and their settings.
560	Problems with boundary mismatches can be resolved using the
561	.B format
562	command.
563	.TP
564	.BI "INFO date " yyyy "\-" mm "\-" dd " " hh ":" mm ":" ss " " tz
565	Signature was (allegedly!) made at the given time and date. If the
566	.B \-u
567	option was given, this will be in UTC.
568	.TP
569	.BI "INFO key " tag
570	Signature was (allegedly!) made using the key
571	.IR tag ,
572	which is present in the current keyring.
573	.TP
574	.BI "INFO unknown-key " keyid
575	Signature was (allegedly!) made using the key with id
576	.IR keyid
577	which is not in the current keyring (or the keyring wasn't found).
578	.SS format
579	The
580	.B format
581	command translates signatures between the various supported formats.
582	This is a (slightly) more complex operation than re-encoding, though it
583	does not require any cryptographic operations.
584	.PP
585	The first non-option argument is the name of the file containing the
586	signature data; this may be omitted or
587	.RB ` \- '
588	to indicate that the signature be read from standard input. The second
589	non-option argument, if any, is the name of the file to read the message
590	from, if the signature is detached. An error is reported if a message
591	file is specified but the signature contains an embedded message
592	already; if the signature is detached but no filename is given, then the
593	message is expected on stdin (immediately after the signature, if any).
594	.PP
595	The options follow a rough convention: options describing the input
596	format are lower-case and options specifying the output format are
597	upper-case. The following options are recognized.
598	.TP "\-a, \-\-armour-in"
599	Read ASCII-armoured input. This is equivalent to specifying
600	.BR "\-f pem" .
601	The variant spelling
602	.B "\-\-armor"
603	is also accepted.
604	.TP "\-A, \-\-armour-out"
605	Produce ASCII-armoured output. This is equivalent to specifying
606	.BR "\-F pem" .
607	The variant spelling
608	.B "\-\-armor-out"
609	is also accepted.
610	.TP
611	.B "\-D, \-\-detach"
612	Produce a detached signature. This may be used to detach a signature
613	from an embedded message.
614	.TP
615	.B "\-E, \-\-embed"
616	Produce a signature with embedded message. This may be used to
617	reattach a message to its detached signature.
618	.TP
619	.BI "\-f, \-\-format-in " format
620	Read input encoded according to
621	.IR format .
622	.TP
623	.BI "\-F, \-\-format-out " format
624	Produce output encoded according to
625	.IR format .
626	.TP
627	.BI "\-m, \-\-message " file
628	Write the message to
629	.IR file .
630	If
631	.I file
632	is
633	.RB ` \- '
634	then write the message to standard output. Don't send the message and
635	signature to the same place because it doesn't work.
636	.TP
637	.BI "\-o, \-\-output " file
638	Write the signature to
639	.IR file .
640	If no
641	.B \-m
642	or
643	.B \-o
644	option is given, a signature is written to standard output.
e1cba07d	645	.SS "encode"
	646	The
	647	.B encode
	648	command encodes an input file according to one of the encodings
	649	described above in
	650	.BR ENCODINGS .
	651	The input is read from the
	652	.I file
	653	given on the command line, or from standard input if none is specified.
	654	Options provided are:
	655	.TP
	656	.BI "\-f, \-\-format " format
	657	Produce output in
	658	.IR format .
	659	Run
65802cb1	660	.B catsign show enc
e1cba07d	661	for a list of encoding formats.
	662	.TP
	663	.BI "\-b, \-\-boundary " label
	664	Set the PEM boundary string to
	665	.IR label ;
	666	i.e., assuming we're encoding in PEM format, the output will have
	667	.BI "\-\-\-\-\-BEGIN " label "\-\-\-\-\-"
	668	at the top and
	669	.BI "\-\-\-\-\-END " label "\-\-\-\-\-"
	670	at the bottom. The default
	671	.I label
	672	is
	673	.BR MESSAGE .
	674	.TP
	675	.BI "\-o, \-\-output " file
	676	Write output to
	677	.I file
	678	instead of to standard output.
	679	.SS "decode"
	680	The
	681	.B decode
	682	command decodes an input file encoded according to one of the encodings
	683	described above in
	684	.BR ENCODINGS .
	685	The input is read from the
	686	.I file
	687	given on the command line, or from standard input if none is specified.
	688	Options provided are:
	689	.TP
	690	.BI "\-f, \-\-format " format
	691	Decode input in
	692	.IR format .
	693	Run
65802cb1	694	.B catsign show enc
e1cba07d	695	for a list of encoding formats.
	696	.TP
	697	.BI "\-b, \-\-boundary " label
	698	Set the PEM boundary string to
	699	.IR label ;
	700	i.e., assuming we're encoding in PEM format, start processing input
	701	between
	702	.BI "\-\-\-\-\-BEGIN " label "\-\-\-\-\-"
	703	and
	704	.BI "\-\-\-\-\-END " label "\-\-\-\-\-"
	705	lines. Without this option,
65802cb1	706	.B catsign
e1cba07d	707	will start reading at the first plausible boundary string, and continue
	708	processing until it reaches the matching end boundary.
	709	.TP
	710	.BI "\-o, \-\-output " file
	711	Write output to
	712	.I file
	713	instead of to standard output.
fa54fe1e	714	.SH "BUGS"
	715	The trailing-whitespace deletion doesn't work for more than 32K of
	716	whitespace. I don't think this is a big problem, really.
	717	.PP
	718	The
	719	.B format
	720	command does something unhelpful if message and signature are sent to
	721	the same file.
	722	.SH "SEE ALSO"
	723	.BR key (1),
	724	.BR catcrypt (1),
	725	.BR dsig (1),
	726	.BR hashsum (1),
	727	.BR keyring (5).
	728	.SH AUTHOR
	729	Mark Wooding, <mdw@nsict.org>