openssl command line to verify the signature
Solution 1
I found two solutions to your problem.
You can use rsautl that way: (with private key: my.key and public key my-pub.pem)
$ openssl rsautl -sign -inkey my.key -out in.txt.rsa -in in.txt
Enter pass phrase for my.key:
$ openssl rsautl -verify -inkey my-pub.pem -in in.txt.rsa -pubin
Bonjour
With this method, all the document is included within the signature file and is outputted by the final command.
But in my case, my certificate says: Signature Algorithm: sha1WithRSAEncryption. So I would recommend you to use the standard way of signing document in 4 steps: (This method is used for all asymmetric electronic signatures in order not to overcharge the signature file and/or CPU usage)
- Create digest of document to sign (sender)
- Sign digest with private key (sender)
- Create digest of document to verify (recipient)
- Verify signature with public key (recipient)
OpenSSL does this in two steps:
$ openssl dgst -sha256 -sign my.key -out in.txt.sha256 in.txt
Enter pass phrase for my.key:
$ openssl dgst -sha256 -verify my-pub.pem -signature in.txt.sha256 in.txt
Verified OK
With this method, you sent the recipient two documents: the original file plain text, the signature file signed digest. Attention: the signature file does not include the whole document! Only the digest.
Solution 2
Verify using public key:
echo "plop" > "helloworld.txt"
openssl rsautl -sign -in helloworld.txt -inkey private.pem -out sig
openssl rsautl -verify -in sig -inkey public.pem -pubin
> plop
Solution 3
your method is basically correct. What you miss is to tell rsautl that the inut key file file is a public key by add "-pubin". The item "-pubin" OpenSSL rsautl document isn't accurate " -pubin the input file is an RSA public key. " should be " -pubin the input key file is an RSA public key. " Since the input file should be a signature file.
Solution 4
You can check the doc for rsautl
In your example, this would give :
openssl rsautl -verify -in sig -inkey aa.pem
I have copied my full history below :
echo "plop" > "helloworld.txt"
openssl rsautl -sign -in helloworld.txt -inkey aa.pem -out sig
openssl rsautl -verify -in sig -inkey aa.pem
> plop
c2h2
Updated on September 14, 2020Comments
-
c2h2 over 3 years
Hi I have generated a key pair and used the private key to generate a signature.
openssl rsautl -sign -in helloworld.txt -inkey aa.pem -out sig
However I am unable to verify the signature with my public key:
openssl rsautl -verify -in helloworld.txt -inkey aa.pub -sigfile sig
I know there -sigfile is deprecated. and some of the online doc from openssl.org is wrong.
Whats the command I should use to verify the sig with my public key?
-
c2h2 about 13 yearsHi, thanks, I did read the manual, But I need to use a public key to verify. not private key.
-
Kyle Butt over 8 yearsuse -pubin and pass the public key as an argument to -inkey
-
Badda almost 7 yearsWhen using this very command line to verify the signature of a given data, I get the following error output :
Verification failure\n Error in dgst
does this mean the verification failed because of an error or because the files didn't match correctly ? -
M'vy almost 7 yearsThere is no real reason for signature decoding to fail, so I'd say mismatch.
-
Badda almost 7 yearsDo you happen to know if the format of the signature is important ? I think the format
.sign
is not handled -
M'vy almost 7 yearsYou should really look at the documentation. Signature files are text files, extensions does not matter. Yes there is a format for the content of the file, but without looking at it, I can't say if it's ok. Test it first with the command I put here and a random text file, it should work, then test your own files.