Home / server / Questions / 219818
In Process
mparaz
Asked: 2011-01-08 04:47:55 +0800 CST

Creating a DSA Signature from the Linux command line

  • 772

I'm looking for a Linux/Unix command-line tool to create a DSA signature from a given file/data and a private key.

I know about the xmlsec1 tool. But I would like something simpler. It seems that OpenSSL provides this function as a developer library, but not as a tool.

unix cryptography dsa

4 Answers

  1. It's done with "openssl dgst" - not the most obvious place to put it...

    Found in:

    http://www.myelin.co.nz/post/2005/5/23/

    openssl dsaparam 1024 < /dev/random > dsaparam.pem

openssl gendsa dsaparam.pem -out dsa_priv.pem

openssl dsa -in dsa_priv.pem -pubout -out dsa_pub.pem

echo "foobar" > foo.txt

sha1sum < foo.txt | awk '{print $1}' > foo.sha1

openssl dgst -dss1 -sign dsa_priv.pem foo.sha1 > sigfile.bin

openssl dgst -dss1 -verify dsa_pub.pem -signature sigfile.bin foo.sha1
    • 3

  2. The following tentative set of commands seems to work with openssl 1.0.2g and 1.1.0g. Compared to that other answer, it aims to generate a signature of the file (including the standard-mandated hash step), rather than a signature (including a second hash step) of the lowercase hexadecimal ASCII representation of a first hash of the file. Also it uses more modern hash and modulus size.

    # generate parameters with 2048-bit DSA, SHA-256 (can be common to multiple keys)
openssl genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:2048 -pkeyopt dsa_paramgen_q_bits:256 -pkeyopt dsa_paramgen_md:sha256 -out dsaparams.pem

# generate a private key and extract the public key
openssl genpkey -paramfile dsaparams.pem -out dsaprivkey.pem
openssl dsa -in dsaprivkey.pem -pubout > dsapubkey.pem

# create a file "myfile" to be signed
echo 'The Magic Words are Squeamish Ossifrage' > myfile

# create signature "myfile.sig"
openssl dgst -sha256 -sign dsaprivkey.pem myfile > myfile.sig

# verify "myfile" against signature "myfile.sig" and public key
openssl dgst -sha256 -verify dsapubkey.pem -signature myfile.sig myfile

    Note: A former attempt made openssl 1.0.2g generate signatures with 160-bit q (perhaps using SHA-1). Per comment, I added -sha256 to openssl dgst, but it made no difference. Experiments suggest it is necessary to use -pkeyopt dsa_paramgen_q_bits:256, even though the man page explicitly states -pkeyopt dsa_paramgen_md:sha256 takes care of that:

    dsa_paramgen_md:digest
    The digest to use during parameter generation. Must be one of sha1, sha224 or sha256. If set, then the number of bits in q will match the output size of the specified digest and the dsa_paramgen_q_bits parameter will be ignored (..)

    • 1
    • 0

  4. Do you want to create a signature for a file such that the integrity of that file can be verified? I think you're looking for Gnu Privacy Guard (GnuPG).

    gpg --output filename.sig --detach-sig filename

    This creates a signature file, filename.sig, based on the original, filename, that can be verified with

    gpg --verify filename.sig filename
    • 0