Sign a binary in one step

Generate digest and then sign it to get the signature in one step:

openssl dgst -sha256 -sign ${PRIVATE_KEY} -out ${INPUT_FILE}.sig ${INPUT_FILE}

Two steps

Sometimes it is not convenient or not possible to provide a complete binary for other party to sign. Two steps could be used so that one party could only provide digest of the binary for other party to sign.

generate digest

Digest is generated by the party who owns the input file.

openssl dgst -binary -sha256 ${INPUT_FILE} > ${INPUT_FILE}.digest

The digest file could then be delivered to other party to generate signature.

signing the digest

openssl pkeyutl -sign -in ${INPUT_FILE}.digest -inkey  ${PRIVATE_KEY}  -pkeyopt digest:sha256 -out ${INPUT_FILE}.sig2

Note that -pkeyopt digest:sha256 is to specify how the digest is generated (what hash algorithm is used).

verification

diff ${INPUT_FILE}.sig ${INPUT_FILE}.sig2

One could also manually check the binary

xxd ${INPUT_FILE}.sig

xxd ${INPUT_FILE}.sig2