| SOPV(1) | Stateless OpenPGP Signature Verification | SOPV(1) |
sopv - Verify OpenPGP signatures
sopv [--debug] subcommand
sopv is the verification-only subset of the OpenPGP Stateless Command Line Interface, also known as "SOP".
sopv is designed to verify OpenPGP signatures. It can verify detached signatures as well as inline signatures. The caller indicates which signers are acceptable by supplying a set of OpenPGP certificates.
$ sopv version
ExampleSop 2.3.0
$ sopv verify libfoo-3.1.2.tgz.sig libfoo-keys.pgp < libfoo-3.1.2.tgz
2025-02-03T0:02:25Z 8CD219FC05D9DE9F3D59B784160B8EF5536B0D27 8CD219FC05D9DE9F3D59B784160B8EF5536B0D27 mode:binary {"signers":["libfoo-keys.pgp"]}
$ sopv inline-verify --verifications-out=verifs.txt alice.cert < alice-message.csf
This is a message from Alice
$ cat verifs.txt
2025-02-13T00:04:49Z 63339423454CA210DAA886C08723C4D38E0802F6 F255F2A602AC1DFF2331085E5DAE32C783FC418D mode:text {"signers":["alice.cert"]}
$
To do something only when a detached signature is valid:
if sopv verify libfoo-3.1.2.tgz.sig libfoo-keys.pgp < libfoo-3.1.2.tgz > /dev/null; then
# The software was signed correctly ... fi
To do something only when an inline signature is valid:
if sopv inline-verify alice.cert < alice-message.csf > alice.message; then
# alice.message is data that was signed by alice ... fi
Exactly one subcommand must be supplied.
All sopv subcommands accept this option.
Each subcommand also has its own distinct options and arguments, see the corresponding manual page.
Some sopv subcommands take data types as inputs, either as arguments or on standard input.
In some cases, sopv emits a VERIFICATIONS text stream, which contains a concise description of every valid OpenPGP signature discovered.
Each line in a VERIFICATIONS stream represents a valid signature from an acceptable signer. There are at least three fixed fields which are separated from one another and the final optional fields by whitespace.
The fields are, in order:
Wherever a CERTS or SIGNATURES or VERIFICATIONS object is pointed to on the command line, it is typically presented as a path to a filename. In addition, sopv should also accept a special designator, which is any string starting with a @ character.
There are two established kinds of special designator:
If you want to refer to a file in the filesystem whose name actually begins with an @ (for example, @foo), you should indicate that file to sopv using ./@foo to avoid an AMBIGUOUS_INPUT error.
The sopv specification keeps a version history similar to semantic versioning https://semver.org/. Implementations indicate their compliance with a specific level of the spec with sopv version --sopv (see sopv-version(1))
sopv indicates success by returning 0.
A failure is indicated by returning any non-zero return code, often using values from the following table.
| Value | Mnemonic | Meaning |
| 0 | OK | Success |
| 1 | UNSPECIFIED_FAILURE | An otherwise unspecified failure occurred |
| 3 | NO_SIGNATURE | No acceptable signatures found |
| 19 | MISSING_ARG | Missing required argument |
| 37 | UNSUPPORTED_OPTION | Unsupported option |
| 41 | BAD_DATA | Invalid data type (secret key where CERTS expected, etc) |
| 59 | OUTPUT_EXISTS | Output file already exists |
| 61 | MISSING_INPUT | Input file does not exist |
| 69 | UNSUPPORTED_SUBCOMMAND | Unsupported subcommand |
| 71 | UNSUPPORTED_SPECIAL_PREFIX | sopv does not know how to handle the special designator |
| 73 | AMBIGUOUS_INPUT | A file with the name of the special designator is present |
Details about warnings or errors may also be emitted to standard error.
This manual page was written by Daniel Kahn Gillmor. Your implementation of sopv is likely written by someone else in alignment with the SOP specification. Please run sopv version to learn more about your implementation.
sopv-version(1), sopv-verify(1), sopv-inline-verify(1), Stateless OpenPGP Command Line Interface https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/, RFC 9580 https://www.rfc-editor.org/rfc/rfc9580.html
| March 2025 | sopv 1.1 |