I need signature data in hex form, so I use:
openssl dgst -sha256 -hex -sign ./id_rsa my.data > my.signature
The openssl docs note that:
Hex signatures cannot be verified using openssl. Instead, use "xxd -r" or similar program to transform the hex signature into a binary signature prior to verification. Source
But, when I try to do this ...
echo "$(cat my.signature)" | xxd -r -p > binary.signature
... I get nothing
Can anyone see what I'm doing wrong?
Dan, the hex signature file is not a plain hex string. It starts with non-hex prefix that xxd failes to parse. Something like RSA-SHA256(my.data)=. You need to remove it before verification.
cat my.signature | sed -e 's/.*= \([^ ]\+\)$/\1/' | xxd -r -p > binary.signature
One little tip. If you used ssh-keygen to create file id_rsa, then corresponding id_rsa.pub is not suitable for openssl, it is in ssh format. You need to generate a public key in PEM format.
openssl rsa -in id_rsa -pubout > id_rsa.pub.pem
This is the right format for verification.
openssl dgst -verify id_rsa.pub.pem -signature binary.signature my.data
-> Verified OK
