Skip to main content Logo (IEC resistor symbol)logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

Sign and verify text/files to public keys via the OpenSSL Command Line

Published: 09-11-2015 | Author: Remy van Elst | Text only version of this article

Table of Contents

This small guide will shows you how to use the OpenSSL Command Line to sign afile, and how to verify the signing of this file. You can do this to proveownership of a key, or to prove that a file hasn't been modified since yousigned it. This works both with small text files as well as huge photo's,documents or PDF files.

If you like this article, consider sponsoring me by trying out a Digital OceanVPS. With this link you'll get $100 credit for 60 days). (referral link)

Generate a keypair

We'll generate a new keypair for this. You can also use an exisiting one. Changethe subject in the following command and execute it to generate a self signedkeypair:

openssl req -nodes -x509 -sha256 -newkey rsa:4096 -keyout "$(whoami)s Sign Key.key" -out "$(whoami)s Sign Key.crt" -days 365 -subj "/C=NL/ST=Zuid Holland/L=Rotterdam/O=Sparkling Network/OU=IT Dept/CN=$(whoami)s Sign Key"

Also create a small text file to test the signing process on:

echo "Hello, World!" > sign.txt

Sign the file

Use the following command to sign the file. We actually take the sha256 hash ofthe file and sign that, all in one openssl command:

openssl dgst -sha256 -sign "$(whoami)s Sign Key.key" -out sign.txt.sha256 sign.txt 

This will result in a file sign.txt with the contents, and the filesign.txt.sha256 with the signed hash of this file.

You can place the file and the public key ($(whoami)s Sign Key.crt) on theinternet or anywhere you like. Keep the private key ($(whoami)s Sign Key.key)very safe and private.

Verify the signature

To verify the signature, you need the specific certificate's public key. We canget that from the certificate using the following command:

openssl x509 -in "$(whoami)s Sign Key.crt"

But that is quite a burden and we have a shell that can automate this away forus. The below command validates the file using the hashed signature:

openssl dgst -sha256 -verify  <(openssl x509 -in "$(whoami)s Sign Key.crt"  -pubkey -noout) -signature sign.txt.sha256 sign.txt

If the contents have not changed since the signing was done, the output is likebelow:

Verified OK

If the validation failed, that means the file hash doesn't correspond to thesigned hash. The file has very likely been modified or tampered. The result of afailed validation looks like below:

Verification Failure


To get a text version of the signature (the file contains binary content) youcan use the base64 command. The textual version is easier to public onlinewith the file:

base64 sign.txt.sha256 > sign.txt.sha256.txt

To get this back into openssl parsable output, use the base64 -d command:

base64 -d sign.txt.sha256.txt > sign.txt.sha256
Tags: ca, certificate, openssl, pki, sign, ssl, tls, tutorials, verify