| NBSVTOOL(1) | General Commands Manual | NBSVTOOL(1) | 
NAME
 nbsvtool — create and verify detached signatures of files
SYNOPSIS
| nbsvtool | [-v] [-a anchor-certificates] [-c certificate-chain] [-f certificate-file] [-k private-key-file] [-u required-key-usage] command args ... | 
 
DESCRIPTION
 nbsvtool is used to create and verify detached X509 signatures of files. Private keys and certificates are expected to be PEM encoded, signatures are in PEM/SMIME format.
Supported commands:
- 
sign file
- 
Sign file, placing the signature in file.sp7. The options -f and -k are required for this command.
- 
verify file [signature]
- 
Verify signature for file. If signature is not specified, file.sp7 is used.
- 
verify-code file [signature]
- 
This is a short cut for verify with the option -u code.
Supported options:
- 
-a anchor-certificates
- 
A file containing one or more (concatenated) keys that are considered trusted.
- 
-c certificate-chain
- 
A file containing additional certificates that will be added to the signature when creating one. They will be used to fill missing links in the trust chain when verifying the signature.
- 
-f certificate-file
- 
A file containing the certificate to use for signing. The certificate must match the key given by -k.
- 
-k private-key-file
- 
A file containing the private key to use for signing.
- 
-u required-key-usage
- 
Verify that the extended key-usage attribute in the signing certificate matches required-key-usage. Otherwise, the signature is rejected. key usage can be one of: “ssl-server”, “ssl-client”, “code”, or “smime”.
- 
-v
- 
Print verbose information about the signing certificate.
 
EXIT STATUS
 The nbsvtool utility exits 0 on success, and >0 if an error occurs.
EXAMPLES
 Create signature file 
hello.sp7 for file 
hello. The private key is found in file 
key, the matching certificate is in 
cert, additional certificates from 
cert-chain are included in the created signature.
nbsvtool -k key -f cert -c cert-chain sign hello hello.sp7
Verify that the signature hello.sp7 is valid for file hello and that the signing certificate allows code signing. Certificates in anchor-file are considered trusted, and there must be a certificate chain from one of those certificates to the signing certificate.
nbsvtool -a anchor-file verify-code hello hello.sp7
 
CAVEATS
 As there is currently no default trust anchor, you must explicilty specify one with -a, otherwise no verification can succeed.