I have to correct myself, in `master` (and very soon in the 3.0.0 alpha1 release) `pkeyutl` already has support for sign/verify files with Ed25519 keys.
``` λ /tmp/test25519/ ### Ensure OpenSSL dev build is in use for this shell λ /tmp/test25519/ which openssl ; openssl version /opt/openssl-master/bin/openssl OpenSSL 3.0.0-dev xx XXX xxxx (Library: OpenSSL 3.0.0-dev xx XXX xxxx) λ /tmp/test25519/ ### Generate Ed25519 private key λ /tmp/test25519/ openssl genpkey -algorithm Ed25519 -out priv.pem λ /tmp/test25519/ ### Extract pub key from private key λ /tmp/test25519/ openssl pkey -in priv.pem -pubout -out pub.pem λ /tmp/test25519/ ### λ /tmp/test25519/ ### Up to this point all the commands were compatible λ /tmp/test25519/ ### with OpenSSL 1.1.1 releases, the next one is the λ /tmp/test25519/ ### one that requires OpenSSL 3.0.0-dev as `pkeyutl` λ /tmp/test25519/ ### now has support for `-rawin` which is required λ /tmp/test25519/ ### for signing/veryfing files with Ed25519 keys. λ /tmp/test25519/ ### λ /tmp/test25519/ ### Generate a signature `sig.dat` for the file λ /tmp/test25519/ ### `/bin/ls` using `priv.key` private Ed25519 key; λ /tmp/test25519/ openssl pkeyutl -sign -inkey priv.pem -out sig.dat \ -rawin -in /bin/ls λ /tmp/test25519/ ### Verify the file `/bin/ls` against a signature λ /tmp/test25519/ ### `sig.dat` under the public Ed25519 key `pub.pem`. λ /tmp/test25519/ ### Success is expected. λ /tmp/test25519/ openssl pkeyutl -verify -pubin -inkey pub.pem \ -rawin -in /bin/ls -sigfile sig.dat Signature Verified Successfully λ /tmp/test25519/ ### Verify the file `/bin/echo` against a signature λ /tmp/test25519/ ### `sig.dat` under the public Ed25519 key `pub.pem`. λ /tmp/test25519/ ### Failure is expected. λ /tmp/test25519/ openssl pkeyutl -verify -pubin -inkey pub.pem \ -rawin -in /bin/echo -sigfile sig.dat Signature Verification Failure ``` On Wed, Apr 22, 2020, 19:12 Viktor Dukhovni <openssl-us...@dukhovni.org> wrote: > On Wed, Apr 22, 2020 at 01:27:03PM +0200, Nicola Tuveri wrote: > > > Unfortunately at the moment the command line utilities do not support > > generating Ed25519 or Ed448 signatures for files. > > > > The reason is that in OpenSSL at the moment we only support pureEd25519, > > which does not prehash the "message" to be signed, as Viktor mentioned > > before. > > Which means no support in dgst(1), but that manpage suggests pkeyutl(1), > which e.g. for RSA supports signing raw (unhashed input), but sadly the > EVP_PKEY_METHOD for ed25519 has a NULL sign() member, instead, somewhat > ironically, it has a digestsign() method. This is presumably to > distinguish between the pure and prehash variants. Therefore, presently > pkeyutl(1) indeed appears to not implement signing and verifying with > ed25519, this looks doable with modest effort. > > -- > Viktor. >