Sign a binary in one step
Generate digest and then sign it to get the signature in one step:
openssl dgst -sha256 -sign ${PRIVATE_KEY} -out ${INPUT_FILE}.sig ${INPUT_FILE}
Two steps
Sometimes it is not convenient or not possible to provide a complete binary for other party to sign. Two steps could be used so that one party could only provide digest of the binary for other party to sign.
generate digest
Digest is generated by the party who owns the input file.
openssl dgst -binary -sha256 ${INPUT_FILE} > ${INPUT_FILE}.digest
The digest file could then be delivered to other party to generate signature.
signing the digest
openssl pkeyutl -sign -in ${INPUT_FILE}.digest -inkey ${PRIVATE_KEY} -pkeyopt digest:sha256 -out ${INPUT_FILE}.sig2
Note that -pkeyopt digest:sha256
is to specify how the digest is generated
(what hash algorithm is used).
verification
diff ${INPUT_FILE}.sig ${INPUT_FILE}.sig2
One could also manually check the binary
xxd ${INPUT_FILE}.sig
xxd ${INPUT_FILE}.sig2