Question
How can you sign files on the command line while using a trusted identity?
For emails you get a x509 certificate, signed by a CA – can you use the same to sign files?
Or would the CA need to sign your public key, and you'd use the corresponding private key to sign the file?
Right now I just found a way to sign files with the private key, but not a way to have the public key signed by a CA, nor a way to sign files using the cert.
Solution 3
Actually the x509 certificate is the signed public key!
It's the recipients who need to use the certificate to verify your identity, and the public key to verify the signature.
What they need to do is extract the public key from the certificate to use it for verifying:
https://stackoverflow.com/questions/18362827
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianopenssl x509 -in me.crt -pubkey -noout > me.pub
OTHER TIPS
You don't ever want to sign with a public key, because that signature is then meaningless. Many people have a public key. Only one person (the signer) should have a private key. If you did sign with a public key, anyone else having that public key could also create a signature that is equally as valid. There would be no way to determine who actually signed it, which defeats the purpose of signatures. Also, there would be no way to verify a signature signed with a public key because no one would have the private key.
You always sign with a private key and verify with a public key.
Your signature can be accompanied by an X509 Certificate. If the certificate is signed by a trusted entity, then whoever has this certificate and trusts it, can also trust the signature that was generated by the private key corresponding to the public key that is in the certificate.
The link you gave in your question contains the openssl commands to verify a signature. In addition to the openssl dgst and openssl rsautl methods to verify a signature, you can also use openssl pkeyutl.
openssl pkeyutl -verify -in data -sigfile signature.bin -pubin -inkey pubkey.pem
Public key (contained in Certificate) is used for verification purpose. Private key of the public key is used to sign the data.
Your public key is signed by CA. You can use your corresponding private key for that public key to sign a file. Verifier will use public key to verify the signature of the file.
Certificate is public key signed by a CA. if the CA is trusted, then certificate will be trusted.
Since, you are using certificate to sign a file, then its purpose must also be mentioned in the certificate. So, ensure that CA allows to sign the file by specifying this in purpose field of the certificate.
