fa54fe1e |
1 | .\" -*-nroff-*- |
2 | .de VS |
3 | .sp 1 |
4 | .RS |
5 | .nf |
6 | .ft B |
7 | .. |
8 | .de VE |
9 | .ft R |
10 | .fi |
11 | .RE |
12 | .sp 1 |
13 | .. |
14 | .ie t \{\ |
15 | . if \n(.g \{\ |
16 | . fam P |
17 | . \} |
18 | .\} |
19 | .de hP |
20 | .IP |
21 | .ft B |
22 | \h'-\w'\\$1\ 'u'\\$1\ \c |
23 | .ft P |
24 | .. |
25 | .ie t .ds o \(bu |
26 | .el .ds o o |
27 | .TH catsign 1 "17 March 2005" "Straylight/Edgeware" "Catacomb cryptographic library" |
28 | .SH NAME |
29 | catsign \- sign and verify messages |
30 | .SH SYNOPSIS |
31 | .B catsign |
32 | .RB [ \-k |
33 | .IR keyring ] |
34 | .I command |
35 | .PP |
36 | where |
37 | .I command |
38 | is one of: |
39 | .PP |
40 | .B help |
41 | .RI [ command ...] |
42 | .br |
43 | .B show |
44 | .RI [ item ...] |
45 | .br |
46 | .B sign |
946c3f72 |
47 | .RB [ \-adtC ] |
fa54fe1e |
48 | .RB [ \-k |
49 | .IR tag ] |
50 | .RB [ \-f |
51 | .IR format ] |
52 | .RB [ \-o |
53 | .IR output ] |
54 | .RI [ file ] |
55 | .br |
56 | .B verify |
946c3f72 |
57 | .RB [ \-aquvC ] |
fa54fe1e |
58 | .RB [ \-k |
59 | .IR tag ] |
60 | .RB [ \-f |
61 | .IR format ] |
9cea6911 |
62 | .RB [ \-t |
63 | .IR time ] |
fa54fe1e |
64 | .br |
65 | |
66 | .RB [ \-o |
67 | .IR output ] |
68 | .RI [ file |
69 | .RI [ message ]] |
70 | .br |
71 | .B info |
72 | .RB [ \-a ] |
73 | .RB [ \-f |
74 | .IR format ] |
75 | .RI [ file ] |
76 | .br |
77 | .B format |
78 | .RB [ \-auABDET ] |
79 | .RB [ \-f |
80 | .IR format ] |
81 | .RB [ \-F |
82 | .IR format ] |
83 | .br |
84 | |
85 | .RB [ \-m |
86 | .IR file ] |
87 | .RB [ \-o |
88 | .IR output ] |
89 | .RI [ file |
90 | .RI [ message ]] |
91 | .br |
92 | .B encode |
93 | .RB [ \-f |
94 | .IR format ] |
95 | .RB [ \-b |
96 | .IR boundary ] |
97 | .RB [ \-o |
98 | .IR output ] |
99 | .RI [ file ] |
100 | .br |
101 | .B decode |
102 | .RB [ \-f |
103 | .IR format ] |
104 | .RB [ \-b |
105 | .IR boundary ] |
106 | .RB [ \-o |
107 | .IR output ] |
108 | .RI [ file ] |
109 | .SH "DESCRIPTION" |
110 | The |
111 | .B catsign |
112 | command signs and verifies messages. It also works as a simple PEM |
113 | encoder and decoder. It provides a number of subcommands, by which the |
114 | various operations may be carried out. |
115 | .SS "Global options" |
116 | Before the command name, |
117 | .I "global options" |
118 | may be given. The following global options are supported: |
119 | .TP |
120 | .BR "\-h, \-\-help " [ \fIcommand ...] |
121 | Writes a brief summary of |
122 | .BR catsign 's |
123 | various options to standard output, and returns a successful exit |
124 | status. With command names, gives help on those commands. |
125 | .TP |
126 | .B "\-v, \-\-version" |
127 | Writes the program's version number to standard output, and returns a |
128 | successful exit status. |
129 | .TP |
130 | .B "\-u, \-\-usage" |
131 | Writes a very terse command line summary to standard output, and returns |
132 | a successful exit status. |
133 | .TP |
134 | .BI "\-k, \-\-keyring " file |
135 | Names the keyring file which |
136 | .B key |
137 | is to process. The default keyring, used if this option doesn't specify |
138 | one, is the file named |
139 | .B keyring |
140 | in the current directory. See |
141 | .BR key (1) |
142 | and |
143 | .BR keyring (5) |
144 | for more details about keyring files. |
145 | .SH "KEY SETUP" |
146 | Algorithms to be used with a particular key are described by attributes |
147 | on the key, or its type. The |
148 | .B catsign |
149 | command deals with signing keys. (Note that |
150 | .B catsign |
151 | uses signing keys in the same way as |
152 | .BR catcrypt (1).) |
153 | .PP |
154 | A |
155 | .I sigalgspec |
156 | has the form |
157 | .IR sig \c |
158 | .RB [ / \c |
159 | .IR hash ]. |
160 | If a |
161 | .B sig |
162 | attribute is present on the key, then it must have this form; otherwise, |
163 | the key's type must have the form |
164 | .BI ccsig- \c |
165 | .IR sigalgspec . |
166 | Algorithm selections are taken from appropriately-named attributes, or, |
167 | failing that, from the |
168 | .IR sigalgspec . |
169 | .PP |
170 | The signature algorithm is chosen according to the setting of |
171 | .I sig |
172 | as follows. Run |
173 | .B catsign show sig |
174 | for a list of supported signature algorithms. |
175 | .TP |
176 | .B rsapkcs1 |
177 | This is almost the same as the RSASSA-PKCS1-v1_5 algorithm described in |
178 | RFC3447; the difference is that the hash is left bare rather than being |
179 | wrapped in a DER-encoded |
180 | .B DigestInfo |
181 | structure. This doesn't affect security since the key can only be used |
182 | with the one hash function anyway, and dropping the DER wrapping permits |
183 | rapid adoption of new hash functions. Regardless, use of this algorithm |
184 | is not recommended, since the padding method has been shown vulnerable |
185 | to attack. Use the |
186 | .B rsa |
187 | algorithm of the |
188 | .B key add |
189 | command (see |
190 | .BR key (1)) |
191 | to generate the key. |
192 | .TP |
193 | .B rsapss |
194 | This is the RSASSA-PSS algorithm described in RFC3447. It is the |
195 | preferred RSA-based signature scheme. Use the |
196 | .B rsa |
197 | algorithm of the |
198 | .B key add |
199 | command (see |
200 | .BR key (1)) |
201 | to generate the key. |
202 | .TP |
203 | .B dsa |
204 | This is the DSA algorithm described in FIPS180-1 and FIPS180-2. Use the |
205 | .B dsa |
206 | algorithm of the |
207 | .B key add |
208 | command (see |
209 | .BR key (1)) |
210 | to generate the key. |
211 | .TP |
212 | .B ecdsa |
213 | This is the ECDSA algorithm described in ANSI X9.62 and FIPS180-2. Use |
214 | the |
215 | .B ec |
216 | algorithm of the |
217 | .B key add |
218 | command (see |
219 | .BR key (1)) |
220 | to generate the key. |
221 | .TP |
222 | .B kcdsa |
223 | This is the revised KCDSA (Korean Certificate-based Digital Signature |
224 | Algorithm) described in |
225 | .I The Revised Version of KCDSA |
226 | .RB ( http://dasan.sejong.ac.kr/~chlim/pub/kcdsa1.ps ). |
227 | Use the |
228 | .B dh |
229 | algorithm of the |
230 | .B key add |
231 | command with the |
232 | .B \-LS |
233 | options (see |
234 | .BR key (1)) |
235 | to generate the key. |
236 | .TP |
237 | .B eckcdsa |
238 | This is an unofficial elliptic-curve analogue of the KCDSA algorithm. |
239 | Use the |
240 | .B ec |
241 | algorithm of the |
242 | .B key add |
243 | command (see |
244 | .BR key (1)) |
245 | to generate the key. |
246 | .PP |
247 | As well as the signature algorithm itself, a hash function is used. |
248 | This is taken from the |
249 | .B hash |
250 | attribute on the key, or, failing that, from the |
251 | .I hash |
252 | specified in the |
253 | .IR sigalgspec , |
254 | or, if that is absent, determined by the signature algorithm as follows. |
255 | .hP \*o |
256 | For |
257 | .BR rsapkcs1 , |
258 | .BR rsapss , |
259 | .BR dsa , |
260 | and |
261 | .BR ecdsa , |
262 | the default hash function is |
263 | .BR sha . |
264 | .hP \*o |
265 | For |
266 | .BR kcdsa |
267 | and |
268 | .BR eckcdsa , |
269 | the default hash function is |
270 | .BR has160 . |
271 | .PP |
272 | Run |
273 | .B catsign show hash |
274 | for a list of supported hash functions. |
275 | .SH "ENCODINGS" |
276 | Two encodings for the ciphertext are supported. |
277 | .TP |
278 | .B binary |
279 | The raw format, which has the benefit of being smaller, but needs to be |
280 | attached to mail messages and generally handled with care. |
281 | .TP |
282 | .B pem |
283 | PEM-encapsulated Base-64 encoded text. This format can be included |
284 | directly in email and picked out again automatically; but there is a |
285 | 4-to-3 data expansion as a result. |
286 | .SH "SIGNATURE FORMATS" |
287 | There are two basic signature formats understood by |
288 | .BR catsign . |
289 | .hP \*o |
290 | Embedded signatures include (embed) the message they sign; hence they're |
291 | complete in and of themselves. The |
292 | .B catsign |
293 | program extracts the message during signature verification. |
294 | .hP \*o |
295 | Detached signatures are separate from the messages they sign, and both |
296 | the original file and the signature are required for a successful |
297 | verification. |
298 | .PP |
299 | Another important distinction is whether the message data is considered |
300 | to be plain text or raw binary data. |
301 | .hP \*o |
302 | When dealing with plain text, |
303 | .B catsign |
304 | allows a limited quantity of leeway in the messages it processes. It |
305 | ignores trailing whitespace on a line, including stray carriage-returns, |
306 | which may appear if Windows boxes have had their way with the data. It |
307 | also appends a final newline if there wasn't one before. In embedded |
308 | signatures, the text is left unencoded, so that the message is readable. |
309 | .hP \*o |
310 | Binary files are preserved completely, and no variation whatever is |
311 | permitted. |
312 | .PP |
313 | The |
314 | .VS |
315 | catsign format |
316 | .VE |
317 | command can convert between detached and embedded signatures; it cannot |
318 | convert between binary and text mode signatures. (The data actually |
319 | signed includes a flag saying whether the message is textual. The |
320 | rationale here is that what looks like an ASCII space before a newline |
321 | may be devastatingly significant in a binary data file, and if a message |
322 | is signed as raw binary then no changes whatever should be allowed.) |
323 | .SH "COMMAND REFERENCE" |
324 | .SS help |
325 | The |
326 | .B help |
327 | command behaves exactly as the |
328 | .B \-\-help |
329 | option. With no arguments, it shows an overview of |
330 | .BR catsign 's |
331 | options; with arguments, it describes the named subcommands. |
332 | .SS show |
333 | The |
334 | .B show |
335 | command prints various lists of tokens understood by |
336 | .BR catsign . |
337 | With no arguments, it prints all of the lists; with arguments, it prints |
338 | just the named lists, in order. The recognized lists can be enumerated |
339 | using the |
340 | .VS |
341 | catsign show list |
342 | .VE |
343 | command. The lists are as follows. |
344 | .TP |
345 | .B list |
346 | The lists which can be enumerated by the |
347 | .B show |
348 | command. |
349 | .TP |
350 | .B sig |
351 | The signature algorithms which can be used in a signing key's |
352 | .B sig |
353 | attribute. |
354 | .TP |
355 | .B hash |
356 | The hash functions which can be used in a key's |
357 | .B hash |
358 | attribute. |
359 | .TP |
360 | .B enc |
361 | The encodings which can be applied to encrypted messages; see |
362 | .B ENCODINGS |
363 | above. |
364 | .SS sign |
365 | The |
366 | .B sign |
367 | command signs a message and writes out an appropriately-encoded |
368 | signature. By default, it reads a message from standard input and |
369 | writes the signature to standard output. If a filename argument is |
370 | given, this file is read instead. |
371 | .PP |
372 | The following options are recognized. |
373 | .TP |
374 | .B "\-a, \-\-armour" |
375 | Produce ASCII-armoured output. This is equivalent to specifying |
376 | .BR "\-f pem" . |
377 | The variant spelling |
378 | .B "\-\-armor" |
379 | is also accepted. |
380 | .TP |
381 | .B "\-b, \-\-binary" |
382 | Read and sign the input as binary data. The default is to treat the |
383 | input as text. |
384 | .TP |
385 | .B "\-d, \-\-detach" |
386 | Produce a detached signature. The default is to produce a signature |
387 | with embedded message. |
388 | .TP |
389 | .BI "\-f, \-\-format " format |
390 | Produce output encoded according to |
391 | .IR format . |
392 | .TP |
393 | .BI "\-k, \-\-key " tag |
394 | Use the signing key named |
395 | .I tag |
396 | in the current keyring; the default key is |
397 | .BR ccsig . |
398 | .TP |
399 | .BI "\-o, \-\-ouptut " file |
400 | Write output to |
401 | .I file |
402 | rather than to standard output. |
403 | .TP |
404 | .B "\-t, \-\-text" |
405 | Read and sign the input as text. This is the default. |
946c3f72 |
406 | .TP |
407 | .B "\-C, \-\-nocheck" |
408 | Don't check the private key for validity. This makes signing go much |
409 | faster, but at the risk of using a duff key, and potentially leaking |
410 | information about the private key. |
fa54fe1e |
411 | .SS verify |
412 | The |
413 | .B verify |
414 | command checks a signature's validity, producing as output information |
415 | about the signature and the signed message. |
416 | .PP |
417 | The first non-option argument is the name of the file containing the |
418 | signature data; this may be omitted or |
419 | .RB ` \- ' |
420 | to indicate that the signature be read from standard input. The second |
421 | non-option argument, if any, is the name of the file to read the message |
422 | from, if the signature is detached. An error is reported if a message |
423 | file is specified but the signature contains an embedded message |
424 | already; if the signature is detached but no filename is given, then the |
425 | message is expected on stdin (immediately after the signature, if any). |
426 | .TP |
427 | .B "\-a, \-\-armour" |
428 | Read ASCII-armoured input. This is equivalent to specifying |
429 | .BR "\-f pem" . |
430 | The variant spelling |
431 | .B "\-\-armor" |
432 | is also accepted. |
433 | .TP |
434 | .B "\-b, \-\-buffer" |
435 | Buffer the message until the signature is verified. This is forced on |
436 | if output is to stdout, but is always available as an option. |
437 | .TP |
438 | .BI "\-f, \-\-format " format |
439 | Read input encoded according to |
440 | .IR format . |
441 | .TP |
442 | .B "\-v, \-\-verbose" |
443 | Produce more verbose messages. See below for the messages produced |
444 | during decryption. The default verbosity level is 1. (Currently this |
445 | is the most verbose setting. This might not be the case always.) |
21aac40c |
446 | .TP |
fa54fe1e |
447 | .B "\-q, \-\-quiet" |
448 | Produce fewer messages. |
449 | .TP |
450 | .BI "\-k, \-\-key " tag |
451 | Usually |
452 | .B catsign |
453 | uses the signature header to work out which key to use to verify a |
454 | signature. Using this option causes verification to fail unless the |
455 | signature header specifies the key named |
456 | .IR tag . |
457 | .TP |
9cea6911 |
458 | .BI "\-t, \-\-freshtime " time |
459 | Only accept signatures claiming to have been made more recently than |
460 | .IR time . |
461 | If |
462 | .I time |
463 | is |
464 | .B always |
465 | (the default) then any timestamp in the past is acceptable. |
466 | .TP |
fa54fe1e |
467 | .B "\-u, \-\-utc" |
468 | Show the datestamp in the signature in UTC rather than (your) local |
469 | time. The synonym |
470 | .B \-\-gmt |
471 | is also accepted. |
472 | .TP |
473 | .BI "\-o, \-\-output " file |
474 | Write the verified message to |
475 | .IR file . |
476 | The file is written in text or binary |
477 | mode as appropriate. The default is to write the message to standard |
478 | output unless verifying a detached signature, in which case nothing is |
479 | written. |
946c3f72 |
480 | .TP |
481 | .B "\-C, \-\-nocheck" |
482 | Don't check the public key for validity. This makes verification go |
483 | much faster, but at the risk of using a duff key, and potentially |
484 | accepting false signatures. |
fa54fe1e |
485 | .PP |
486 | Output is written to standard output in a machine-readable format. |
487 | Major problems cause the program to write a diagnostic to standard error |
488 | and exit nonzero as usual. The quantity of output varies depending on |
489 | the verbosity level and whether the message is also being written to |
490 | standard output. Output lines begin with a keyword: |
491 | .TP |
492 | .BI "FAIL " reason |
493 | An error prevented verification. The program will exit nonzero. |
494 | .TP |
495 | .BI "WARN " reason |
496 | .B catsign |
497 | encountered a situation which may or may not invalidate the |
498 | verification. |
499 | .TP |
500 | .BI "OK " message |
501 | Verification was successful. This is only produced if the message is |
502 | being sent somewhere other than standard output. |
503 | .TP |
504 | .B "DATA" |
505 | The message follows, starting just after the next newline character or |
506 | sequence. This is only produced if the message is being written to |
507 | standard output. |
508 | .TP |
509 | .BI "INFO " note |
510 | Any other information. |
511 | .PP |
512 | The information written at the various verbosity levels is as follows. |
513 | .hP 0. |
514 | No output. Watch the exit status. |
515 | .hP 1. |
516 | All messages. |
517 | .PP |
518 | .B Warning! |
519 | All output written has been checked for authenticity. However, output |
520 | can fail madway through for many reasons, and the resulting message may |
521 | therefore be truncated. Don't rely on the output being complete until |
4224d0b9 |
522 | .B OK |
523 | is printed or |
fa54fe1e |
524 | .B catsign verify |
525 | exits successfully. |
526 | .SS info |
527 | The |
528 | .B info |
529 | command analyses a signature without verifying it, and prints |
530 | interesting information about it. This might be useful for diagnostic |
531 | purposes. No keys are needed for this operation, though you get more |
532 | useful information if you have them. |
533 | .PP |
534 | If a non-option argument is given, and it is not |
535 | .RB ` \- ', |
536 | then it is taken to name the file containing the signature to parse; |
537 | otherwise a signature is read from standard input. |
538 | .PP |
539 | The following options are recognized. |
540 | .TP |
541 | .B "\-a, \-\-armour" |
542 | Read ASCII-armoured input. This is equivalent to specifying |
543 | .BR "\-f pem" . |
544 | The variant spelling |
545 | .B "\-\-armor" |
546 | is also accepted. |
547 | .TP |
548 | .BI "\-f, \-\-format " format |
549 | Read input encoded according to |
550 | .IR format . |
551 | .TP |
552 | .B "\-u, \-\-utc" |
553 | Show the datestamp in the signature in UTC rather than (your) local |
554 | time. The synonym |
555 | .B \-\-gmt |
556 | is also accepted. |
557 | .PP |
558 | A description of the signature block is produced on standard output; it |
559 | is mostly machine-readable. The first word on each line explains what |
560 | kind of output it is. |
561 | .TP |
562 | .BI "BAD " message |
563 | The signature data is invalid and cannot be parsed. |
564 | .TP |
565 | .BI "WARN " message |
566 | Something is wrong with the data, but isn't fatal. |
567 | .TP |
568 | .BI "NOTE " message |
569 | An environmental problem means that the information isn't as helpful as |
570 | it might be. For example, the keyring file can't be opened, so we don't |
571 | know whether the verification key is there. |
572 | .TP |
573 | .BI "INFO flags " flags |
574 | Describes the flags set in the signature header. The |
575 | .I flags |
576 | are a list of flags, one per word, preceded by a |
577 | .RB ` ! ' |
578 | if the flag is clear. |
579 | .TP |
580 | .BI "INFO expected-flags " flags |
581 | If the PEM boundary string didn't match the actual signature data then |
582 | this line is output, listing the expected flags and their settings. |
583 | Problems with boundary mismatches can be resolved using the |
584 | .B format |
585 | command. |
586 | .TP |
587 | .BI "INFO date " yyyy "\-" mm "\-" dd " " hh ":" mm ":" ss " " tz |
588 | Signature was (allegedly!) made at the given time and date. If the |
589 | .B \-u |
590 | option was given, this will be in UTC. |
591 | .TP |
592 | .BI "INFO key " tag |
593 | Signature was (allegedly!) made using the key |
594 | .IR tag , |
595 | which is present in the current keyring. |
596 | .TP |
597 | .BI "INFO unknown-key " keyid |
598 | Signature was (allegedly!) made using the key with id |
599 | .IR keyid |
600 | which is not in the current keyring (or the keyring wasn't found). |
601 | .SS format |
602 | The |
603 | .B format |
604 | command translates signatures between the various supported formats. |
605 | This is a (slightly) more complex operation than re-encoding, though it |
606 | does not require any cryptographic operations. |
607 | .PP |
608 | The first non-option argument is the name of the file containing the |
609 | signature data; this may be omitted or |
610 | .RB ` \- ' |
611 | to indicate that the signature be read from standard input. The second |
612 | non-option argument, if any, is the name of the file to read the message |
613 | from, if the signature is detached. An error is reported if a message |
614 | file is specified but the signature contains an embedded message |
615 | already; if the signature is detached but no filename is given, then the |
616 | message is expected on stdin (immediately after the signature, if any). |
617 | .PP |
618 | The options follow a rough convention: options describing the input |
619 | format are lower-case and options specifying the output format are |
620 | upper-case. The following options are recognized. |
0ac1f186 |
621 | .TP |
622 | .BI "\-a, \-\-armour-in" |
fa54fe1e |
623 | Read ASCII-armoured input. This is equivalent to specifying |
624 | .BR "\-f pem" . |
625 | The variant spelling |
626 | .B "\-\-armor" |
627 | is also accepted. |
0ac1f186 |
628 | .TP |
629 | .BI "\-A, \-\-armour-out" |
fa54fe1e |
630 | Produce ASCII-armoured output. This is equivalent to specifying |
631 | .BR "\-F pem" . |
632 | The variant spelling |
633 | .B "\-\-armor-out" |
634 | is also accepted. |
635 | .TP |
636 | .B "\-D, \-\-detach" |
637 | Produce a detached signature. This may be used to detach a signature |
638 | from an embedded message. |
639 | .TP |
640 | .B "\-E, \-\-embed" |
641 | Produce a signature with embedded message. This may be used to |
642 | reattach a message to its detached signature. |
643 | .TP |
644 | .BI "\-f, \-\-format-in " format |
645 | Read input encoded according to |
646 | .IR format . |
647 | .TP |
648 | .BI "\-F, \-\-format-out " format |
649 | Produce output encoded according to |
650 | .IR format . |
651 | .TP |
652 | .BI "\-m, \-\-message " file |
653 | Write the message to |
654 | .IR file . |
655 | If |
656 | .I file |
657 | is |
658 | .RB ` \- ' |
659 | then write the message to standard output. Don't send the message and |
660 | signature to the same place because it doesn't work. |
661 | .TP |
662 | .BI "\-o, \-\-output " file |
663 | Write the signature to |
664 | .IR file . |
665 | If no |
666 | .B \-m |
667 | or |
668 | .B \-o |
669 | option is given, a signature is written to standard output. |
e1cba07d |
670 | .SS "encode" |
671 | The |
672 | .B encode |
673 | command encodes an input file according to one of the encodings |
674 | described above in |
675 | .BR ENCODINGS . |
676 | The input is read from the |
677 | .I file |
678 | given on the command line, or from standard input if none is specified. |
679 | Options provided are: |
680 | .TP |
681 | .BI "\-f, \-\-format " format |
682 | Produce output in |
683 | .IR format . |
684 | Run |
65802cb1 |
685 | .B catsign show enc |
e1cba07d |
686 | for a list of encoding formats. |
687 | .TP |
688 | .BI "\-b, \-\-boundary " label |
689 | Set the PEM boundary string to |
690 | .IR label ; |
691 | i.e., assuming we're encoding in PEM format, the output will have |
692 | .BI "\-\-\-\-\-BEGIN " label "\-\-\-\-\-" |
693 | at the top and |
694 | .BI "\-\-\-\-\-END " label "\-\-\-\-\-" |
695 | at the bottom. The default |
696 | .I label |
697 | is |
698 | .BR MESSAGE . |
699 | .TP |
700 | .BI "\-o, \-\-output " file |
701 | Write output to |
702 | .I file |
703 | instead of to standard output. |
704 | .SS "decode" |
705 | The |
706 | .B decode |
707 | command decodes an input file encoded according to one of the encodings |
708 | described above in |
709 | .BR ENCODINGS . |
710 | The input is read from the |
711 | .I file |
712 | given on the command line, or from standard input if none is specified. |
713 | Options provided are: |
714 | .TP |
715 | .BI "\-f, \-\-format " format |
716 | Decode input in |
717 | .IR format . |
718 | Run |
65802cb1 |
719 | .B catsign show enc |
e1cba07d |
720 | for a list of encoding formats. |
721 | .TP |
722 | .BI "\-b, \-\-boundary " label |
723 | Set the PEM boundary string to |
724 | .IR label ; |
725 | i.e., assuming we're encoding in PEM format, start processing input |
726 | between |
727 | .BI "\-\-\-\-\-BEGIN " label "\-\-\-\-\-" |
728 | and |
729 | .BI "\-\-\-\-\-END " label "\-\-\-\-\-" |
730 | lines. Without this option, |
65802cb1 |
731 | .B catsign |
e1cba07d |
732 | will start reading at the first plausible boundary string, and continue |
733 | processing until it reaches the matching end boundary. |
734 | .TP |
735 | .BI "\-o, \-\-output " file |
736 | Write output to |
737 | .I file |
738 | instead of to standard output. |
fa54fe1e |
739 | .SH "BUGS" |
740 | The trailing-whitespace deletion doesn't work for more than 32K of |
741 | whitespace. I don't think this is a big problem, really. |
742 | .PP |
743 | The |
744 | .B format |
745 | command does something unhelpful if message and signature are sent to |
746 | the same file. |
747 | .SH "SEE ALSO" |
748 | .BR key (1), |
749 | .BR catcrypt (1), |
750 | .BR dsig (1), |
751 | .BR hashsum (1), |
752 | .BR keyring (5). |
753 | .SH AUTHOR |
f387fcb1 |
754 | Mark Wooding, <mdw@distorted.org.uk> |