projects
/
u
/
mdw
/
catacomb
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
hashsum.1: Fix counting error (left over from some previous edit).
[u/mdw/catacomb]
/
catsign.1
diff --git
a/catsign.1
b/catsign.1
index
961edc3
..
93fe70d
100644
(file)
--- a/
catsign.1
+++ b/
catsign.1
@@
-44,7
+44,7
@@
is one of:
.RI [ item ...]
.br
.B sign
.RI [ item ...]
.br
.B sign
-.RB [ \-adt ]
+.RB [ \-adt
C
]
.RB [ \-k
.IR tag ]
.RB [ \-f
.RB [ \-k
.IR tag ]
.RB [ \-f
@@
-54,13
+54,15
@@
is one of:
.RI [ file ]
.br
.B verify
.RI [ file ]
.br
.B verify
-.RB [ \-aquv ]
+.RB [ \-aquv
C
]
.RB [ \-k
.IR tag ]
.RB [ \-f
.IR format ]
.RB [ \-k
.IR tag ]
.RB [ \-f
.IR format ]
+.RB [ \-t
+.IR time ]
.br
.br
-
+
.RB [ \-o
.IR output ]
.RI [ file
.RB [ \-o
.IR output ]
.RI [ file
@@
-79,7
+81,7
@@
is one of:
.RB [ \-F
.IR format ]
.br
.RB [ \-F
.IR format ]
.br
-
+
.RB [ \-m
.IR file ]
.RB [ \-o
.RB [ \-m
.IR file ]
.RB [ \-o
@@
-146,7
+148,7
@@
on the key, or its type. The
.B catsign
command deals with signing keys. (Note that
.B catsign
.B catsign
command deals with signing keys. (Note that
.B catsign
-uses signing keys in the same way as
+uses signing keys in the same way as
.BR catcrypt (1).)
.PP
A
.BR catcrypt (1).)
.PP
A
@@
-174,7
+176,7
@@
for a list of supported signature algorithms.
.B rsapkcs1
This is almost the same as the RSASSA-PKCS1-v1_5 algorithm described in
RFC3447; the difference is that the hash is left bare rather than being
.B rsapkcs1
This is almost the same as the RSASSA-PKCS1-v1_5 algorithm described in
RFC3447; the difference is that the hash is left bare rather than being
-wrapped in a DER-encoded
+wrapped in a DER-encoded
.B DigestInfo
structure. This doesn't affect security since the key can only be used
with the one hash function anyway, and dropping the DER wrapping permits
.B DigestInfo
structure. This doesn't affect security since the key can only be used
with the one hash function anyway, and dropping the DER wrapping permits
@@
-199,7
+201,7
@@
command (see
to generate the key.
.TP
.B dsa
to generate the key.
.TP
.B dsa
-This is the DSA algorithm described in FIPS180-1 and FIPS180-2.
Use the
+This is the DSA algorithm described in FIPS180-1 and FIPS180-2. Use the
.B dsa
algorithm of the
.B key add
.B dsa
algorithm of the
.B key add
@@
-241,6
+243,21
@@
algorithm of the
command (see
.BR key (1))
to generate the key.
command (see
.BR key (1))
to generate the key.
+.TP
+.B mac
+This uses a symmetric message-authentication algorithm rather than a
+digital signature. The precise message-authentication scheme used is
+determined by the
+.B mac
+attribute on the key, which defaults to
+.IB hash -hmac
+if unspecified. Use the
+.B binary
+algorithm of the
+.B key add
+command (see
+.BR key (1))
+to generate the key.
.PP
As well as the signature algorithm itself, a hash function is used.
This is taken from the
.PP
As well as the signature algorithm itself, a hash function is used.
This is taken from the
@@
-261,7
+278,7
@@
the default hash function is
.BR sha .
.hP \*o
For
.BR sha .
.hP \*o
For
-.BR kcdsa
+.BR kcdsa
and
.BR eckcdsa ,
the default hash function is
and
.BR eckcdsa ,
the default hash function is
@@
-356,7
+373,7
@@
The hash functions which can be used in a key's
attribute.
.TP
.B enc
attribute.
.TP
.B enc
-The encodings which can be applied to encrypted messages; see
+The encodings which can be applied to encrypted messages; see
.B ENCODINGS
above.
.SS sign
.B ENCODINGS
above.
.SS sign
@@
-401,6
+418,11
@@
rather than to standard output.
.TP
.B "\-t, \-\-text"
Read and sign the input as text. This is the default.
.TP
.B "\-t, \-\-text"
Read and sign the input as text. This is the default.
+.TP
+.B "\-C, \-\-nocheck"
+Don't check the private key for validity. This makes signing go much
+faster, but at the risk of using a duff key, and potentially leaking
+information about the private key.
.SS verify
The
.B verify
.SS verify
The
.B verify
@@
-408,7
+430,7
@@
command checks a signature's validity, producing as output information
about the signature and the signed message.
.PP
The first non-option argument is the name of the file containing the
about the signature and the signed message.
.PP
The first non-option argument is the name of the file containing the
-signature data; this may be omitted or
+signature data; this may be omitted or
.RB ` \- '
to indicate that the signature be read from standard input. The second
non-option argument, if any, is the name of the file to read the message
.RB ` \- '
to indicate that the signature be read from standard input. The second
non-option argument, if any, is the name of the file to read the message
@@
-436,6
+458,7
@@
Read input encoded according to
Produce more verbose messages. See below for the messages produced
during decryption. The default verbosity level is 1. (Currently this
is the most verbose setting. This might not be the case always.)
Produce more verbose messages. See below for the messages produced
during decryption. The default verbosity level is 1. (Currently this
is the most verbose setting. This might not be the case always.)
+.TP
.B "\-q, \-\-quiet"
Produce fewer messages.
.TP
.B "\-q, \-\-quiet"
Produce fewer messages.
.TP
@@
-447,6
+470,15
@@
signature. Using this option causes verification to fail unless the
signature header specifies the key named
.IR tag .
.TP
signature header specifies the key named
.IR tag .
.TP
+.BI "\-t, \-\-freshtime " time
+Only accept signatures claiming to have been made more recently than
+.IR time .
+If
+.I time
+is
+.B always
+(the default) then any timestamp in the past is acceptable.
+.TP
.B "\-u, \-\-utc"
Show the datestamp in the signature in UTC rather than (your) local
time. The synonym
.B "\-u, \-\-utc"
Show the datestamp in the signature in UTC rather than (your) local
time. The synonym
@@
-460,6
+492,11
@@
The file is written in text or binary
mode as appropriate. The default is to write the message to standard
output unless verifying a detached signature, in which case nothing is
written.
mode as appropriate. The default is to write the message to standard
output unless verifying a detached signature, in which case nothing is
written.
+.TP
+.B "\-C, \-\-nocheck"
+Don't check the public key for validity. This makes verification go
+much faster, but at the risk of using a duff key, and potentially
+accepting false signatures.
.PP
Output is written to standard output in a machine-readable format.
Major problems cause the program to write a diagnostic to standard error
.PP
Output is written to standard output in a machine-readable format.
Major problems cause the program to write a diagnostic to standard error
@@
-496,8
+533,9
@@
All messages.
.B Warning!
All output written has been checked for authenticity. However, output
can fail madway through for many reasons, and the resulting message may
.B Warning!
All output written has been checked for authenticity. However, output
can fail madway through for many reasons, and the resulting message may
-therefore be truncated. Don't rely on the output being complete until
-.B OK is printed or
+therefore be truncated. Don't rely on the output being complete until
+.B OK
+is printed or
.B catsign verify
exits successfully.
.SS info
.B catsign verify
exits successfully.
.SS info
@@
-583,7
+621,7
@@
This is a (slightly) more complex operation than re-encoding, though it
does not require any cryptographic operations.
.PP
The first non-option argument is the name of the file containing the
does not require any cryptographic operations.
.PP
The first non-option argument is the name of the file containing the
-signature data; this may be omitted or
+signature data; this may be omitted or
.RB ` \- '
to indicate that the signature be read from standard input. The second
non-option argument, if any, is the name of the file to read the message
.RB ` \- '
to indicate that the signature be read from standard input. The second
non-option argument, if any, is the name of the file to read the message
@@
-595,13
+633,15
@@
message is expected on stdin (immediately after the signature, if any).
The options follow a rough convention: options describing the input
format are lower-case and options specifying the output format are
upper-case. The following options are recognized.
The options follow a rough convention: options describing the input
format are lower-case and options specifying the output format are
upper-case. The following options are recognized.
-.TP "\-a, \-\-armour-in"
+.TP
+.BI "\-a, \-\-armour-in"
Read ASCII-armoured input. This is equivalent to specifying
.BR "\-f pem" .
The variant spelling
.B "\-\-armor"
is also accepted.
Read ASCII-armoured input. This is equivalent to specifying
.BR "\-f pem" .
The variant spelling
.B "\-\-armor"
is also accepted.
-.TP "\-A, \-\-armour-out"
+.TP
+.BI "\-A, \-\-armour-out"
Produce ASCII-armoured output. This is equivalent to specifying
.BR "\-F pem" .
The variant spelling
Produce ASCII-armoured output. This is equivalent to specifying
.BR "\-F pem" .
The variant spelling
@@
-648,7
+688,7
@@
The
command encodes an input file according to one of the encodings
described above in
.BR ENCODINGS .
command encodes an input file according to one of the encodings
described above in
.BR ENCODINGS .
-The input is read from the
+The input is read from the
.I file
given on the command line, or from standard input if none is specified.
Options provided are:
.I file
given on the command line, or from standard input if none is specified.
Options provided are:
@@
-657,7
+697,7
@@
Options provided are:
Produce output in
.IR format .
Run
Produce output in
.IR format .
Run
-.B cat
crypt
show enc
+.B cat
sign
show enc
for a list of encoding formats.
.TP
.BI "\-b, \-\-boundary " label
for a list of encoding formats.
.TP
.BI "\-b, \-\-boundary " label
@@
-682,7
+722,7
@@
The
command decodes an input file encoded according to one of the encodings
described above in
.BR ENCODINGS .
command decodes an input file encoded according to one of the encodings
described above in
.BR ENCODINGS .
-The input is read from the
+The input is read from the
.I file
given on the command line, or from standard input if none is specified.
Options provided are:
.I file
given on the command line, or from standard input if none is specified.
Options provided are:
@@
-691,7
+731,7
@@
Options provided are:
Decode input in
.IR format .
Run
Decode input in
.IR format .
Run
-.B cat
crypt
show enc
+.B cat
sign
show enc
for a list of encoding formats.
.TP
.BI "\-b, \-\-boundary " label
for a list of encoding formats.
.TP
.BI "\-b, \-\-boundary " label
@@
-700,10
+740,10
@@
Set the PEM boundary string to
i.e., assuming we're encoding in PEM format, start processing input
between
.BI "\-\-\-\-\-BEGIN " label "\-\-\-\-\-"
i.e., assuming we're encoding in PEM format, start processing input
between
.BI "\-\-\-\-\-BEGIN " label "\-\-\-\-\-"
-and
+and
.BI "\-\-\-\-\-END " label "\-\-\-\-\-"
lines. Without this option,
.BI "\-\-\-\-\-END " label "\-\-\-\-\-"
lines. Without this option,
-.B cat
crypt
+.B cat
sign
will start reading at the first plausible boundary string, and continue
processing until it reaches the matching end boundary.
.TP
will start reading at the first plausible boundary string, and continue
processing until it reaches the matching end boundary.
.TP
@@
-726,4
+766,4
@@
the same file.
.BR hashsum (1),
.BR keyring (5).
.SH AUTHOR
.BR hashsum (1),
.BR keyring (5).
.SH AUTHOR
-Mark Wooding, <mdw@
nsict.org
>
+Mark Wooding, <mdw@
distorted.org.uk
>