tpm2_verifysignature man page

tpm2_verifysignature(1) — Validates a signature using the TPM.


tpm2_verifysignature [Options]


tpm2_verifysignature(1) uses loaded keys to validate a signature on a message with the message digest passed to the TPM. If the signature check succeeds, then the TPM will produce a TPMT_TK_VERIFIED. Otherwise, the TPM shall return TPM_RC_SIGNATURE. If KEY_HANDLE references an asymmetric key, only the public portion of the key needs to be loaded. If KEY_HANDLE references a symmetric key, both the public and private portions need to be loaded.


Common Options

This collection of options are common to many programs and provide information that many users may expect.

This collection of environment variables that may be used to configure the various TCTI modules available.

The values passed through these variables can be overridden on a per-command basis using the available command line options, see the TCTI_OPTIONS section.

The variables respected depend on how the software was configured.

Tcti Options

This collection of options are used to configure the varous TCTI modules available. They override any environment variables.

Password Formatting

Passwords are interpreted in two forms, string and hex-string. A string password is not interpreted, and is directly used for authorization. A hex-string, is converted from a hexidecimal form into a byte array form, thus allowing passwords with non-printable and/or terminal un-friendly characters.

By default passwords are assumed to be in the string form. Password form is specified with special prefix values, they are:

Supported Hash Algorithms

Supported hash algorithms are:

NOTE: Your TPM may not support all algorithms.

Algorithm Specfiers

Options that take algorithms support “nice-names”. Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. The nice names are converted by stripping the leading TPM_ALG_ from the Algorithm Name field and converting it to lower case. For instance TPM_ALG_SHA3_256 becomes sha3_256.

The algorithms can be found at: <>


tpm2_verifysignature -k 0x81010001 -g sha256 -m <filePath> -s <filePath> -t <filePath>
tpm2_verifysignature -k 0x81010001 -D <filePath> -s <filePath> -t <filePath>
tpm2_verifysignature -c key.context -g sha256 -m <filePath> -s <filePath> -t <filePath>


0 on success or 1 on failure.


Github Issues (


See the Mailing List (


SEPTEMBER 2017 tpm2-tools General Commands Manual