.RI [ item ...]
.br
.B sign
-.RB [ \-adt ]
+.RB [ \-adtC ]
.RB [ \-k
.IR tag ]
.RB [ \-f
.RI [ file ]
.br
.B verify
-.RB [ \-aquv ]
+.RB [ \-aquvC ]
.RB [ \-k
.IR tag ]
.RB [ \-f
.IR format ]
+.RB [ \-t
+.IR time ]
.br
.RB [ \-o
command (see
.BR key (1))
to generate the key.
+.TP
+.B mac
+This uses a symmetric message-authentication algorithm rather than a
+digital signature. The precise message-authentication scheme used is
+determined by the
+.B mac
+attribute on the key, which defaults to
+.IB hash -hmac
+if unspecified. Use the
+.B binary
+algorithm of the
+.B key add
+command (see
+.BR key (1))
+to generate the key.
.PP
As well as the signature algorithm itself, a hash function is used.
This is taken from the
.TP
.B "\-t, \-\-text"
Read and sign the input as text. This is the default.
+.TP
+.B "\-C, \-\-nocheck"
+Don't check the private key for validity. This makes signing go much
+faster, but at the risk of using a duff key, and potentially leaking
+information about the private key.
.SS verify
The
.B verify
Produce more verbose messages. See below for the messages produced
during decryption. The default verbosity level is 1. (Currently this
is the most verbose setting. This might not be the case always.)
+.TP
.B "\-q, \-\-quiet"
Produce fewer messages.
.TP
signature header specifies the key named
.IR tag .
.TP
+.BI "\-t, \-\-freshtime " time
+Only accept signatures claiming to have been made more recently than
+.IR time .
+If
+.I time
+is
+.B always
+(the default) then any timestamp in the past is acceptable.
+.TP
.B "\-u, \-\-utc"
Show the datestamp in the signature in UTC rather than (your) local
time. The synonym
mode as appropriate. The default is to write the message to standard
output unless verifying a detached signature, in which case nothing is
written.
+.TP
+.B "\-C, \-\-nocheck"
+Don't check the public key for validity. This makes verification go
+much faster, but at the risk of using a duff key, and potentially
+accepting false signatures.
.PP
Output is written to standard output in a machine-readable format.
Major problems cause the program to write a diagnostic to standard error
All output written has been checked for authenticity. However, output
can fail madway through for many reasons, and the resulting message may
therefore be truncated. Don't rely on the output being complete until
-.B OK is printed or
+.B OK
+is printed or
.B catsign verify
exits successfully.
.SS info
The options follow a rough convention: options describing the input
format are lower-case and options specifying the output format are
upper-case. The following options are recognized.
-.TP "\-a, \-\-armour-in"
+.TP
+.BI "\-a, \-\-armour-in"
Read ASCII-armoured input. This is equivalent to specifying
.BR "\-f pem" .
The variant spelling
.B "\-\-armor"
is also accepted.
-.TP "\-A, \-\-armour-out"
+.TP
+.BI "\-A, \-\-armour-out"
Produce ASCII-armoured output. This is equivalent to specifying
.BR "\-F pem" .
The variant spelling
or
.B \-o
option is given, a signature is written to standard output.
+.SS "encode"
+The
+.B encode
+command encodes an input file according to one of the encodings
+described above in
+.BR ENCODINGS .
+The input is read from the
+.I file
+given on the command line, or from standard input if none is specified.
+Options provided are:
+.TP
+.BI "\-f, \-\-format " format
+Produce output in
+.IR format .
+Run
+.B catsign show enc
+for a list of encoding formats.
+.TP
+.BI "\-b, \-\-boundary " label
+Set the PEM boundary string to
+.IR label ;
+i.e., assuming we're encoding in PEM format, the output will have
+.BI "\-\-\-\-\-BEGIN " label "\-\-\-\-\-"
+at the top and
+.BI "\-\-\-\-\-END " label "\-\-\-\-\-"
+at the bottom. The default
+.I label
+is
+.BR MESSAGE .
+.TP
+.BI "\-o, \-\-output " file
+Write output to
+.I file
+instead of to standard output.
+.SS "decode"
+The
+.B decode
+command decodes an input file encoded according to one of the encodings
+described above in
+.BR ENCODINGS .
+The input is read from the
+.I file
+given on the command line, or from standard input if none is specified.
+Options provided are:
+.TP
+.BI "\-f, \-\-format " format
+Decode input in
+.IR format .
+Run
+.B catsign show enc
+for a list of encoding formats.
+.TP
+.BI "\-b, \-\-boundary " label
+Set the PEM boundary string to
+.IR label ;
+i.e., assuming we're encoding in PEM format, start processing input
+between
+.BI "\-\-\-\-\-BEGIN " label "\-\-\-\-\-"
+and
+.BI "\-\-\-\-\-END " label "\-\-\-\-\-"
+lines. Without this option,
+.B catsign
+will start reading at the first plausible boundary string, and continue
+processing until it reaches the matching end boundary.
+.TP
+.BI "\-o, \-\-output " file
+Write output to
+.I file
+instead of to standard output.
.SH "BUGS"
The trailing-whitespace deletion doesn't work for more than 32K of
whitespace. I don't think this is a big problem, really.
.BR hashsum (1),
.BR keyring (5).
.SH AUTHOR
-Mark Wooding, <mdw@nsict.org>
+Mark Wooding, <mdw@distorted.org.uk>
projects / u / mdw / catacomb / blobdiff