File: sopv-verify.1.ronn

package info (click to toggle)
stateless-openpgp-docs 13.1-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 380 kB
  • sloc: sh: 951; ansic: 279; makefile: 49; python: 36
file content (75 lines) | stat: -rw-r--r-- 2,697 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
 
sopv-verify(1) -- Verify detached OpenPGP signatures on a message
=================================================================

## SYNOPSIS

`sopv` [`--debug`] `verify` [`--not-before=`<DATE>] [`--not-after=`<DATE>] [`--`] <SIGNATURES> <CERTS> [<CERTS>...] < <DATA>

## DESCRIPTION

`sopv verify` returns 0 if any valid OpenPGP detached signature is made over the data on standard input from one of the specified OpenPGP certificates.
If no valid OpenPGP signature is found, `sopv verify` returns non-zero.

It emits a stream of `VERIFICATIONS` (see `VERIFICATIONS` in sopv(1)) to standard output.

## EXAMPLES

```
if sopv verify message.sig signer.cert < message > /dev/null; then
    echo "message is signed"
else
    echo "no valid signature found"
fi
```

To implement a no-rollbacks mechanism (e.g. for software upgrades):

```
LASTSIGDATE=$(cat lastsigdate || echo '1970-01-01T00:00:00Z')
rm -f verifs.out
if sopv verify --not-before=$LASTSIGDATE $SIG author.cert < $PKG > verifs.out; then
   # do something with the now-verified "$PKG":
   #  ...
   # prevent rollback to prior version:
   cut -f1 -d' ' < verifs.out | head -n1 > lastsigdate
fi
```

## OPTIONS

 * `--not-before=`<DATE>:
   Do not accept signatures made before the specified <DATE>.
   Supply <DATE> in ISO-8601 format, preferably in UTC (see `DATE` in sopv(1)).

 * `--not-after=`<DATE>:
   Do not accept signatures made after the specified <DATE>.
   Supply <DATE> in ISO-8601 format, preferably in UTC (see `DATE` in sopv(1)).

## ARGUMENTS

`sopv verify` looks for OpenPGP signatures in the <SIGNATURES> argument, either as a series of raw OpenPGP signature packets, or as an ASCII-armored series of OpenPGP signature packets.
For the signatures to be verified, they must be made by one of the supplied <CERTS> over the message provided on standard input.

Any Invalid or broken signature will be ignored, as will any signature made by an unknown signer. 

One or more <CERTS> arguments should point to OpenPGP certificates that would be acceptable signers.

## RETURN CODE

`sopv verify` returns 0 to indicate that at least one valid signature was found.

It may fail for other reasons, but `NO_SIGNATURE` (3) is a likely failure mode when none of the <SIGNATURES> can be verified as being from any of the <CERTS>.

## AUTHOR

This manual page was written by Daniel Kahn Gillmor.
Your implementation of `sopv` is likely written by someone else in alignment with the SOP specification.
Please run `sopv version` to learn more about your implementation.

## SEE ALSO

sopv(1),
sopv-version(1),
sopv-inline-verify(1),
[Stateless OpenPGP Command Line Interface][draft-dkg-openpgp-stateless-cli],
[RFC 9580][RFC9580]