GZSIG(1) BSD Reference Manual GZSIG(1)NAMEgzsig - gzip signing utility
SYNOPSISgzsig sign [-qv] [-f secret_file] privkey [file ...]
gzsig verify [-qv] pubkey [file ...]
DESCRIPTIONgzsig embeds or verifies RSA PKCS #1 v2.0 or DSA SHA1 signatures in
gzip(1) compressed files using SSH identity keys, RSA public keys, or
X509 certificates.
The file operands are processed in command-line order. If file is a sin-
gle dash ('-') or absent, gzsig reads from the standard input.
The options are as follows:
sign Sign the input using the private key in privkey.
verify Verify the signature using the public key in pubkey.
-q Enable quiet mode.
-v Disable quiet mode.
-f secret_file
Indicates that the passphrase for the key should be read from
secret_file instead of being supplied manually.
The gzsig utility exits 0 on success or >0 if an error occured.
EXAMPLES
Sign file1 and file2 with the SSH2 identity key in ~/.ssh/id_rsa:
$ gzsig sign ~/.ssh/id_rsa file1 file2
Sign file1 with the SSH2 identity key, saving the signed file in file2:
$ gzsig sign ~/.ssh/id_rsa < file1 > file2
Verify the signature on file1 using the SSL certificate in
/etc/ssl/server.crt:
$ gzsig verify /etc/ssl/server.crt < file1
SEE ALSOgzip(1), ssh-keygen(1), ssl(8)AUTHORS
Dug Song <dugsong@arbor.net>
SSH2 support by Marius Eriksen <marius@openbsd.org>
RSA public key (in the format generated by ssh-keygen -E) by Thorsten
Glaser <tg@mirbsd.de>.
BUGSgzsig version 1 only supports SHA-1 hashes. The extension field format
consists of a magic, "GS", a version identifier (1), and the hash. A pro-
posed version 2 would write out both the version 1 field and a version 2
field supporting multiple hashes at the same time, all of which are
checked, together with some kind of algorithm ID. This would be used to
prevent attacks against a single algorithm or family of hash algorithms.
Ideally, you'd combine the version 1 SHA-1 or a version 2 RIPEMD-160 with
a version 2 TIGER or WHIRLPOOL and a version 2 CRC (cksum, sum, sysvsum,
suma, sfv).
July 6, 2001 1