table of contents
| SOPV-VERIFY(1) | Stateless OpenPGP Signature Verification | SOPV-VERIFY(1) |
NAME¶
sopv-verify - Verify detached OpenPGP signatures on a message
SYNOPSIS¶
sopv [--debug] verify [--not-before=DATE] [--not-after=DATE] [--] SIGNATURES CERTS [CERTS...] <DATA
DESCRIPTION¶
sopv verify returns 0 if any valid OpenPGP detached signature is made over the data on standard input from one of the specified OpenPGP certificates. If no valid OpenPGP signature is found, sopv verify returns non-zero.
It emits a stream of VERIFICATIONS (see VERIFICATIONS in sopv(1)) to standard output.
EXAMPLES¶
if sopv verify message.sig signer.cert < message > /dev/null; then
echo "message is signed" else
echo "no valid signature found" fi
To implement a no-rollbacks mechanism (e.g. for software upgrades):
-
LASTSIGDATE=$(cat lastsigdate || echo '1970-01-01T00:00:00Z') rm -f verifs.out if sopv verify --not-before=$LASTSIGDATE $SIG author.cert < $PKG > verifs.out; then
# do something with the now-verified "$PKG":
# ...
# prevent rollback to prior version:
cut -f1 -d' ' < verifs.out | head -n1 > lastsigdate fi
OPTIONS¶
- --not-before=DATE
- Do not accept signatures made before the specified DATE. Supply DATE in ISO-8601 format, preferably in UTC (see DATE in sopv(1)).
- --not-after=DATE
- Do not accept signatures made after the specified DATE. Supply DATE in ISO-8601 format, preferably in UTC (see DATE in sopv(1)).
ARGUMENTS¶
sopv verify looks for OpenPGP signatures in the SIGNATURES argument, either as a series of raw OpenPGP signature packets, or as an ASCII-armored series of OpenPGP signature packets. For the signatures to be verified, they must be made by one of the supplied CERTS over the message provided on standard input.
Any Invalid or broken signature will be ignored, as will any signature made by an unknown signer.
One or more CERTS arguments should point to OpenPGP certificates that would be acceptable signers.
RETURN CODE¶
sopv verify returns 0 to indicate that at least one valid signature was found.
It may fail for other reasons, but NO_SIGNATURE (3) is a likely failure mode when none of the SIGNATURES can be verified as being from any of the CERTS.
AUTHOR¶
This manual page was written by Daniel Kahn Gillmor. Your implementation of sopv is likely written by someone else in alignment with the SOP specification. Please run sopv version to learn more about your implementation.
SEE ALSO¶
sopv(1), sopv-version(1), sopv-inline-verify(1), Stateless OpenPGP Command Line Interface https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/, RFC 9580 https://www.rfc-editor.org/rfc/rfc9580.html
| March 2025 | sopv 1.1 |