Skip to content

Instantly share code, notes, and snippets.

@ezimuel

ezimuel/sign.sh

Created March 14, 2016 15:50
  • Star 82 You must be signed in to star a gist
  • Fork 29 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Sign and verify a file using OpenSSL command line tool. It exports the digital signature in Base64 format.
Raw
sign.sh
#!/bin/bash
# Sign a file with a private key using OpenSSL
# Encode the signature in Base64 format
#
# Usage: sign <file> <private_key>
#
# NOTE: to generate a public/private key use the following commands:
#
# openssl genrsa -aes128 -passout pass:<passphrase> -out private.pem 2048
# openssl rsa -in private.pem -passin pass:<passphrase> -pubout -out public.pem
#
# where <passphrase> is the passphrase to be used.
filename=$1
privatekey=$2
if [[ $# -lt 2 ]] ; then
echo "Usage: sign <file> <private_key>"
exit 1
fi
openssl dgst -sha256 -sign $privatekey -out /tmp/$filename.sha256 $filename
openssl base64 -in /tmp/$filename.sha256 -out signature.sha256
rm /tmp/$filename.sha256
Raw
verify.sh
#!/bin/bash
# Verify a file with a public key using OpenSSL
# Decode the signature from Base64 format
#
# Usage: verify <file> <signature> <public_key>
#
# NOTE: to generate a public/private key use the following commands:
#
# openssl genrsa -aes128 -passout pass:<passphrase> -out private.pem 2048
# openssl rsa -in private.pem -passin pass:<passphrase> -pubout -out public.pem
#
# where <passphrase> is the passphrase to be used.
filename=$1
signature=$2
publickey=$3
if [[ $# -lt 3 ]] ; then
echo "Usage: verify <file> <signature> <public_key>"
exit 1
fi
openssl base64 -d -in $signature -out /tmp/$filename.sha256
openssl dgst -sha256 -verify $publickey -signature /tmp/$filename.sha256 $filename
rm /tmp/$filename.sha256
@aliakhtar
Copy link

Congrats, Satoshi loves you, apparently. https://www.reddit.com/r/Buttcoin/comments/4hkpwe/inventor_of_bitcoin_proves_he_can_write_a_2line/

@mrcancer91
Copy link

Thanks. These scripts really help me out

@sambacha
Copy link

It only took 4 years for people to realize what a 2 part bash script proved years ago...

@mehtaparitosh
Copy link

This is amazing! Thank you for the article and thank you for the scripts!

I am using Code Signing feature of AWS IoT Jobs, and I was stuck on how to verify the signatures :D

@liiri
Copy link

liiri commented Jan 31, 2021

Use following in sign.sh to have it fully non-interactive:

openssl dgst -sha256 -sign $privatekey -passin pass:<passphrase> -out /tmp/$filename.sha256 $filename

@arunmir
Copy link

arunmir commented Dec 2, 2021

Thanks a lot, mate. This is very useful.

@pshterev
Copy link

pshterev commented Jan 18, 2023
edited

Useful! Thanks. Although I wonder why transforming binary sig to base64 and then from base64? The base64 transformation can be skipped for the purposes of this example. Also might be worth noting that public key should be a PUBLIC KEY and not a certificate. In many cases you don't generate private/public key pairs but instead you have a private key and a certificate that might be signed by a public CA. So in this case you have to extract the public key from the certificate with: openssl x509 -in -pubkey -noout > public_key.pem

@Leo-Raumann
Copy link

@ pshterev

x509 -in -pubkey -noout > public_key.pem

I did find this command example often in internet, but for my openssl version coming along with git this does not work, i get error x509: Unknown parameter >. But I can use just "-noout" to get a print in the console, or "-out public_key.pem" to get a file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment