upstream: Allow testing signature syntax and validity without verifying

that a signature came from a trusted signer. To discourage accidental or unintentional use, this is invoked by the deliberately ugly option name "check-novalidate" from Sebastian Kinne OpenBSD-Commit-ID: cea42c36ab7d6b70890e2d8635c1b5b943adcc0b
author: djm@openbsd.org <djm@openbsd.org> 2019-09-16 03:23:02 +0000
committer: Damien Miller <djm@mindrot.org> 2019-09-16 13:25:53 +1000
commit: 8aa2aa3cd4d27d14e74b247c773696349472ef20 (patch)
tree: f9e411db0614268e0296d0492494ec9bcb51596a /ssh-keygen.1
parent: 7047d5afe3103f0f07966c05b810682d92add359 (diff)
1 files changed, 21 insertions, 3 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 081158546..f8dafb3aa 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.166 2019/09/05 05:47:23 jmc Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.167 2019/09/16 03:23:02 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 5 2019 $
+.Dd $Mdocdate: September 16 2019 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -149,10 +149,14 @@
 .Nm ssh-keygen
 .Fl Y Cm verify
 .Fl I Ar signer_identity
-.Fl f Ar allowed_keys_file
+.Fl f Ar allowed_signers_file
 .Fl n Ar namespace
 .Fl s Ar signature_file
 .Op Fl r Ar revocation_file
+.Nm ssh-keygen
+.Fl Y Cm check-novalidate
+.Fl s Ar signature_file
+.Fl n Ar namespace
 .Ek
 .Sh DESCRIPTION
 .Nm
@@ -716,6 +720,20 @@ flag.
 The revocation file may be a KRL or a one-per-line list of public keys.
 Successful verification by an authorized signer is signalled by
 .Nm
+.It Fl Y Cm check-novalidate
+Checks that a signature generated using
+.Nm
+.Fl Y Cm sign
+has a valid structure.
+This does not validate if a signature comes from an authorized signer.
+When testing a signature,
+.Nm
+accepts a message on standard input and a signature namespace using
+.Fl n .
+A file containing the corresponding signature must also be supplied using the
+.Fl s
+flag. Successful testing of the signature is signalled by
+.Nm
 returning a zero exit status.
 .It Fl z Ar serial_number
 Specifies a serial number to be embedded in the certificate to distinguish
author	djm@openbsd.org <djm@openbsd.org>	2019-09-16 03:23:02 +0000
committer	Damien Miller <djm@mindrot.org>	2019-09-16 13:25:53 +1000
commit	8aa2aa3cd4d27d14e74b247c773696349472ef20 (patch)
tree	f9e411db0614268e0296d0492494ec9bcb51596a /ssh-keygen.1
parent	7047d5afe3103f0f07966c05b810682d92add359 (diff)

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 081158546..f8dafb3aa 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.166 2019/09/05 05:47:23 jmc Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.167 2019/09/16 03:23:02 djm Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37	.\"	37	.\"
38	.Dd $Mdocdate: September 5 2019 $	38	.Dd $Mdocdate: September 16 2019 $
39	.Dt SSH-KEYGEN 1	39	.Dt SSH-KEYGEN 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -149,10 +149,14 @@
149	.Nm ssh-keygen	149	.Nm ssh-keygen
150	.Fl Y Cm verify	150	.Fl Y Cm verify
151	.Fl I Ar signer_identity	151	.Fl I Ar signer_identity
152	.Fl f Ar allowed_keys_file	152	.Fl f Ar allowed_signers_file
153	.Fl n Ar namespace	153	.Fl n Ar namespace
154	.Fl s Ar signature_file	154	.Fl s Ar signature_file
155	.Op Fl r Ar revocation_file	155	.Op Fl r Ar revocation_file
		156	.Nm ssh-keygen
		157	.Fl Y Cm check-novalidate
		158	.Fl s Ar signature_file
		159	.Fl n Ar namespace
156	.Ek	160	.Ek
157	.Sh DESCRIPTION	161	.Sh DESCRIPTION
158	.Nm	162	.Nm
@@ -716,6 +720,20 @@ flag.
716	The revocation file may be a KRL or a one-per-line list of public keys.	720	The revocation file may be a KRL or a one-per-line list of public keys.
717	Successful verification by an authorized signer is signalled by	721	Successful verification by an authorized signer is signalled by
718	.Nm	722	.Nm
		723	.It Fl Y Cm check-novalidate
		724	Checks that a signature generated using
		725	.Nm
		726	.Fl Y Cm sign
		727	has a valid structure.
		728	This does not validate if a signature comes from an authorized signer.
		729	When testing a signature,
		730	.Nm
		731	accepts a message on standard input and a signature namespace using
		732	.Fl n .
		733	A file containing the corresponding signature must also be supplied using the
		734	.Fl s
		735	flag. Successful testing of the signature is signalled by
		736	.Nm
719	returning a zero exit status.	737	returning a zero exit status.
720	.It Fl z Ar serial_number	738	.It Fl z Ar serial_number
721	Specifies a serial number to be embedded in the certificate to distinguish	739	Specifies a serial number to be embedded in the certificate to distinguish