jose/doc/man/jose-jws-sig.1.adoc

jose-jws-sig(1)
===============
:doctype: manpage

== NAME

jose-jws-sig - Signs a payload using one or more JWKs

== SYNOPSIS

*jose jws sig* [-i JWS] [-I PAY] [-s SIG] -k JWK [-o JWS] [-O PAY] [-c]

== OVERVIEW

The *jose jws sig* command signs a payload using one or more JWKs. The payload
can be provided either in its decoded form (*-I*) or embedded in an existing
JWS (*-i*).

A detached JWS can be created by specifying the *-O* option. In this case,
the decoded payload will be written to the output specified and will not be
included in the JWS.

If only one key is used (*-k*), the resulting JWS may be output in JWS Compact
Serialization by using the *-c* option.

This command uses a template based approach for constructing a JWS. You can
specify templates of the JWS itself (*-i*) or for the JWS Signature Object
(*-r*). Attributes specified in either of these templates will appear
unmodified in the output. One exception to this rule is that the JWS Protected
Header should be specified in its decoded form in the JWS Signature Object
template. This command will automatically encode it as part of the encryption
process.

If you specify a JOSE Header Parameter (via either the *-i* or *-r* options)
that affects the construction of the JWE, this command will attempt to behave
according to this parameter as if it were configuration. Currently, *jose* will
modify its behavior for the "alg" JOSE Header Parameter (see RFC 7515 Section
4.1.1).

However, it is not necessary to provide any templates: *jose jwe enc* will
automatically fill in the "alg" parameter by inferring the correct algorithm
from the provided input JWKs. Therefore, the *-i* and *-r* options should
generally be used for providing extended JWE metadata.

It is possible to specify an existing JWS as the JWS template input (*-i*).
This allows the addition of new signatures to an existing JWS.

== OPTIONS

* *-i* _JSON_,  *--input*=_JSON_ :
  Parse JWS template from JSON

* *-i* _FILE_,  *--input*=_FILE_ :
  Read JWS template from FILE

* *-i* -, *--input*=- :
  Read JWS template from standard input

* *-I* _FILE_, *--detached*=_FILE_ :
  Read decoded payload from FILE

* *-I* -, *--detached*=- :
  Read decoded payload from standard input

* *-s* _JSON_, *--signature*=_JSON_ :
  Parse JWS signature template from JSON

* *-s* _FILE_, *--signature*=_FILE_ :
  Read JWS signature template from FILE

* *-s* -, *--signature*=- :
  Read JWS signature template standard input

* *-k* _FILE_, *--key*=_FILE_ :
  Read JWK(Set) from FILE

* *-k* -, *--key*=- :
  Read JWK(Set) from standard input

* *-o* _FILE_, *--output*=_FILE_ :
  Write JWS to FILE

* *-o* -, *--output*=- :
  Write JWS to stdout (default)

* *-O* _FILE_, *--detach*=_FILE_ :
  Detach payload and decode to FILE

* *-O* -, *--detach*=- :
  Detach payload and decode to standard output

* *-c*, *--compact* :
  Output JWS using compact serialization

== EXAMPLES

Sign data with a symmetric key using JWE JSON Serialization:

    $ jose jwk gen -i '{"alg":"HS256"}' -o key.jwk
    $ jose jws sig -I msg.txt -k key.jwk -o msg.jws

Sign data using detached JWE Compact Serialization:

    $ jose jws sig -I msg.txt -k key.jwk -O /dev/null -c -o msg.jws

Sign with two keys:

    $ jose jwk gen -i '{"alg":"ES256"}' -o ec.jwk
    $ jose jwk gen -i '{"alg":"RS256"}' -o rsa.jwk
    $ jose jws sig -I msg.txt -k ec.jwk -k rsa.jwk -o msg.jws

== AUTHOR

Nathaniel McCallum <npmccallum@redhat.com>

== SEE ALSO

link:jose-jws-sig.1.adoc[*jose-jws-sig*(1)],
link:jose-jws-ver.1.adoc[*jose-jws-ver*(1)]