On Thu Sep 01 13:18:44 2016, stef...@sdaoden.eu wrote: > Hello. > > From the documentation i cannot tell what is wrong with the > following: > > echo abc > a; echo def > b; echo ghi > c > openssl genpkey -algorithm RSA -out k.prv > openssl pkey -in k.prv -pubout -out k.pub > openssl dgst -sha512 -sign k.prv -out .sig a b c > openssl dgst -sha512 -verify k.pub -signature .sig a b c > rm k.prv k.pub a b c
The manual for dgst has this little note The signing and verify options should only be used if a single file is being signed or verified. In other words, don't do that. While I can understand the desire to do multiple files in one swoop, the signature file (.sig in this case) isn't formatted in any special way, it's litterally just a stream of bytes. So it does contain all the signatures, but in an unstructured format. Verification will read that file and use the first n bytes from it when verifying each file you give it. That's why you get correct verification on the first file but not the others. The solution to this is to enhance dgst so it loudly refuses to sign or verify more than one file. Cheers, Richard -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4669 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev