NBSVTOOL(1) General Commands Manual NBSVTOOL(1)

nbsvtool
create and verify detached signatures of files

nbsvtool [-v] [-a anchor-certificates] [-c certificate-chain] [-f certificate-file] [-k private-key-file] [-u required-key-usage] command args ...

nbsvtool is used to create and verify detached X509 signatures of files. Private keys and certificates are expected to be PEM encoded, signatures are in PEM/SMIME format.

Supported commands:

sign file
Sign file, placing the signature in file.sp7. The options -f and -k are required for this command.
verify file [signature]
Verify signature for file. If signature is not specified, file.sp7 is used.
verify-code file [signature]
This is a short cut for verify with the option -u code.

Supported options:

anchor-certificates
A file containing one or more (concatenated) keys that are considered trusted.
certificate-chain
A file containing additional certificates that will be added to the signature when creating one. They will be used to fill missing links in the trust chain when verifying the signature.
certificate-file
A file containing the certificate to use for signing. The certificate must match the key given by -k.
private-key-file
A file containing the private key to use for signing.
required-key-usage
Verify that the extended key-usage attribute in the signing certificate matches required-key-usage. Otherwise, the signature is rejected. key usage can be one of: “ssl-server”, “ssl-client”, “code”, or “smime”.
Print verbose information about the signing certificate.

The nbsvtool utility exits 0 on success, and >0 if an error occurs.

Create signature file hello.sp7 for file hello. The private key is found in file key, the matching certificate is in cert, additional certificates from cert-chain are included in the created signature.
nbsvtool -k key -f cert -c cert-chain sign hello hello.sp7

Verify that the signature hello.sp7 is valid for file hello and that the signing certificate allows code signing. Certificates in anchor-file are considered trusted, and there must be a certificate chain from one of those certificates to the signing certificate.

nbsvtool -a anchor-file verify-code hello hello.sp7

openssl_smime(1)

As there is currently no default trust anchor, you must explicilty specify one with -a, otherwise no verification can succeed.
March 11, 2009 NetBSD 9.4