Richard Levitte via RT <r...@openssl.org> wrote: |On Thu Sep 01 13:18:44 2016, stef...@sdaoden.eu wrote: |> From the documentation i cannot tell what is wrong with the |> following: |> |> echo abc > a; echo def > b; echo ghi > c |> openssl genpkey -algorithm RSA -out k.prv |> openssl pkey -in k.prv -pubout -out k.pub |> openssl dgst -sha512 -sign k.prv -out .sig a b c |> openssl dgst -sha512 -verify k.pub -signature .sig a b c |> rm k.prv k.pub a b c | |The manual for dgst has this little note | |The signing and verify options should only be used if a single file \ |is being |signed or verified. |In other words, don't do that.
I really haven't seen that. It is the second last sentence. Hm. |While I can understand the desire to do multiple files in one swoop, the |signature file (.sig in this case) isn't formatted in any special way, it's |litterally just a stream of bytes. So it does contain all the signatures, \ |but |in an unstructured format. Verification will read that file and use \ |the first n |bytes from it when verifying each file you give it. That's why you \ |get correct |verification on the first file but not the others. | |The solution to this is to enhance dgst so it loudly refuses to sign \ |or verify |more than one file. If that is your way. I haven't actually tried it, but the following should do what you want?! Ciao, --- dgst.c.orig 2016-09-02 15:06:08.952110179 +0200 +++ dgst.c 2016-09-02 15:13:57.592904667 +0200 @@ -369,6 +369,14 @@ int dgst_main(int argc, char **argv) if (md) md_name = EVP_MD_name(md); } + + if (argc > 1 && (sigbuf != NULL || sigkey != NULL)){ + BIO_printf(bio_err, "Signing and verifying cannot be used with " + "multiple files\n"); + ret = 1; + goto end; + } + ret = 0; for (i = 0; i < argc; i++) { int r; --steffen -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4669 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev