Skip to content

Sign and Verify file with SSH Keys

Signing files

ssh-keygen -Y sign -f ~/.ssh/id_rsa -n file ${file_to_sign}
  • ~/.ssh/id_rsa is the path of private key
  • the default signature name is ${file_to_sign}.sig

Verifying signatures

prepare allowed_signers with email address, key type and public key.

linux1@vm2021 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1IUBsl/582WYfgvER5iuG6lnWWLhRvHz5jjUxOWpTVMNiDvI1eUS5XIE8m1i2PLR1CD4+65yX48q+UT9TXqFVR8N33kuHUkbnNooqUCdYfjKcGD/HqhpjUcleYdzAn6HmVW8R3byEs51wcopQMV5r57F6+EJw7ssrcgc7wvHMjs4+4erW2Nfu9h5MGXww6v3W/ampcVyCMtY568FORNfNQ8Jhan911CQl6zgGiteqI03ccOWaELtn8+QieIMEPaoDMf9n0V9ULPsK6M9RYIXv2o38HiRA2tskdOZ+hWfdMG/zw/TyhITZr1wlsxzNQvQrrRgxkt/6DVdUqL960267QfgaUqe+eGB908mAYBDD14wMI9CZqz7i8oMEOBXG4SJYg9F+5e+va/SLTUo97MkGx3Ng0zoTWNtTQYw+JHWt76QnOBGc3xNsNipceKZo5zzHp7AYxhddOaIniYqLnH9Yb3A5B4Tv9a954fikHLiv97DkUEsk2niePdD8Pb1t5UU=

use the following command to verify.

ssh-keygen -Y verify -f allowed_signers -I linux1@vm2021 -n file -s ${file_to_verify.sig} < ${file_to_verify}

The output if the signature is valid.

Good "file" signature for linux1@vm2021 with RSA key SHA256:NmVC1oHNMssv0UfhfCSUKY2UjboQrGI5RwCGK7n0pIU

Reference