NAME

asignify - cryptographically sign, verify, encrypt or decrypt files.

SYNOPSIS

asignify [-q] verify pubkey signature

asignify [-q] check pubkey signature file [file...]

asignify [-q] sign [-n] [-d digest] [-s sshkey] secretkey signature [file1 [file2...]]

asignify [-q] generate [-n] [-r rounds] secretkey [publickey]

asignify [-q] encrypt [-d] secretkey publickey infile outfile

asignify [-q] decrypt secretkey publickey infile outfile

DESCRIPTION

The asignify utility creates and verifies cryptographic signatures. A signature is stamped on a digests file that contains hash digests of files using various hash functions (namely, sha256, sha512 and blake2b).

The mode of operation is selected with the following options:

-q: Quiet mode. Suppress informational output.
verify: Verify signarure for a digests file (but do not verify digests themselves):

pubkey: Name of the file with a public key.
signature: Name of signature file.

check: Verify a signed digests list, and then verify the checksum for each file listed in the arguments and specified in the digests list:

pubkey: Name of the file with a public key.
signature: Name of a signature file.
file: List of files whose digests need to be verified.

generate: Generate a new key pair of secret and public keys:

-n, --no-password: Do not ask for a passphrase during key generation. Otherwise, asignify will prompt the user for a passphrase to encrypt the secret key with.
-r, --rounds: Indicate a number of iterations (rounds) used by PBKDF algorithm (default number of rounds: 10000).
-s, --ssh: Convert unencrypted ed25519 private key generated by openssh to the native asignify format. The target key could be encrypted as usually.
secretkey: Mandatory path to file where secret key will be writen.
pubkey: Optional path to file where public key will be writed and by default will be generated from as [secretkey].pub. This option is not used with ssh keys.

sign: Calculate digests for the files specified and create a signed digests file:

-n, --no-size: Do not record files sizes in signature file.
-d, --digest: Indicate a hash function which will be used for singing. Currently the asignify has support of following hashes: sha256(1), sha512(1), blake2 (default if none is defined). It is possible to specify multiple -d options to calculate multiple checksums for each file.
secretkey: Name of the file with a secret key.
signature: Name of file where signed digests will be stored.
file: List of file(s) to calculate digests for.

encrypt: Encrypt a file using local private key and remote public key (and vice-versa for decryption):

-d, --decrypt: Decrypt using remote privkey and local pubkey (that is same as invoking this command as decrypt)
secretkey: Name of the file with a secret key: local for encryption and remote for decryption.
publickey: Name of the file with a public key: remote for encryption and local for decryption.
in: The name of input file.
out: The name of output file.

EXIT STATUS

The asignify return zero exit code on success, and non-zero if an error occurs. It may fail because of one of the following reasons:

- Some files requested are absent.
- Passphrase is incorrect (or passphrase and verification are not equal).
- The message file has been corrupted and its signature is no longer valid.

EXAMPLES

Create a new key pair:

 $ asignify generate keys/key.secret keys/key.public

Sign a file, specifying a signature name:

 $ asignify sign -d blake2 keys/key.secret motd.sig /etc/motd

Verify a signature:

 $ asignify verify keys/key.public motd.sig

Verify a signed digest list:

 $ asignify check keys/key.public motd.sig /etc/motd