I have to correct myself, in `master` (and very soon in the 3.0.0 alpha1 release) `pkeyutl` already has support for sign/verify files with Ed25519 keys.
```
λ /tmp/test25519/ ### Ensure OpenSSL dev build is in use for this shell
λ /tmp/test25519/ which openssl ; openssl version
/opt/openssl-master/bin/openssl
OpenSSL 3.0.0-dev xx XXX xxxx (Library: OpenSSL 3.0.0-dev xx XXX xxxx)
λ /tmp/test25519/ ### Generate Ed25519 private key
λ /tmp/test25519/ openssl genpkey -algorithm Ed25519 -out priv.pem
λ /tmp/test25519/ ### Extract pub key from private key
λ /tmp/test25519/ openssl pkey -in priv.pem -pubout -out pub.pem
λ /tmp/test25519/ ###
λ /tmp/test25519/ ### Up to this point all the commands were compatible
λ /tmp/test25519/ ### with OpenSSL 1.1.1 releases, the next one is the
λ /tmp/test25519/ ### one that requires OpenSSL 3.0.0-dev as `pkeyutl`
λ /tmp/test25519/ ### now has support for `-rawin` which is required
λ /tmp/test25519/ ### for signing/veryfing files with Ed25519 keys.
λ /tmp/test25519/ ###
λ /tmp/test25519/ ### Generate a signature `sig.dat` for the file
λ /tmp/test25519/ ### `/bin/ls` using `priv.key` private Ed25519 key;
λ /tmp/test25519/ openssl pkeyutl -sign -inkey priv.pem -out sig.dat \
-rawin -in /bin/ls
λ /tmp/test25519/ ### Verify the file `/bin/ls` against a signature
λ /tmp/test25519/ ### `sig.dat` under the public Ed25519 key `pub.pem`.
λ /tmp/test25519/ ### Success is expected.
λ /tmp/test25519/ openssl pkeyutl -verify -pubin -inkey pub.pem \
-rawin -in /bin/ls -sigfile sig.dat
Signature Verified Successfully
λ /tmp/test25519/ ### Verify the file `/bin/echo` against a signature
λ /tmp/test25519/ ### `sig.dat` under the public Ed25519 key `pub.pem`.
λ /tmp/test25519/ ### Failure is expected.
λ /tmp/test25519/ openssl pkeyutl -verify -pubin -inkey pub.pem \
-rawin -in /bin/echo -sigfile sig.dat
Signature Verification Failure
```
λ /tmp/test25519/ ### Ensure OpenSSL dev build is in use for this shell
λ /tmp/test25519/ which openssl ; openssl version
/opt/openssl-master/bin/openssl
OpenSSL 3.0.0-dev xx XXX xxxx (Library: OpenSSL 3.0.0-dev xx XXX xxxx)
λ /tmp/test25519/ ### Generate Ed25519 private key
λ /tmp/test25519/ openssl genpkey -algorithm Ed25519 -out priv.pem
λ /tmp/test25519/ ### Extract pub key from private key
λ /tmp/test25519/ openssl pkey -in priv.pem -pubout -out pub.pem
λ /tmp/test25519/ ###
λ /tmp/test25519/ ### Up to this point all the commands were compatible
λ /tmp/test25519/ ### with OpenSSL 1.1.1 releases, the next one is the
λ /tmp/test25519/ ### one that requires OpenSSL 3.0.0-dev as `pkeyutl`
λ /tmp/test25519/ ### now has support for `-rawin` which is required
λ /tmp/test25519/ ### for signing/veryfing files with Ed25519 keys.
λ /tmp/test25519/ ###
λ /tmp/test25519/ ### Generate a signature `sig.dat` for the file
λ /tmp/test25519/ ### `/bin/ls` using `priv.key` private Ed25519 key;
λ /tmp/test25519/ openssl pkeyutl -sign -inkey priv.pem -out sig.dat \
-rawin -in /bin/ls
λ /tmp/test25519/ ### Verify the file `/bin/ls` against a signature
λ /tmp/test25519/ ### `sig.dat` under the public Ed25519 key `pub.pem`.
λ /tmp/test25519/ ### Success is expected.
λ /tmp/test25519/ openssl pkeyutl -verify -pubin -inkey pub.pem \
-rawin -in /bin/ls -sigfile sig.dat
Signature Verified Successfully
λ /tmp/test25519/ ### Verify the file `/bin/echo` against a signature
λ /tmp/test25519/ ### `sig.dat` under the public Ed25519 key `pub.pem`.
λ /tmp/test25519/ ### Failure is expected.
λ /tmp/test25519/ openssl pkeyutl -verify -pubin -inkey pub.pem \
-rawin -in /bin/echo -sigfile sig.dat
Signature Verification Failure
```
On Wed, Apr 22, 2020, 19:12 Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote:
On Wed, Apr 22, 2020 at 01:27:03PM +0200, Nicola Tuveri wrote:
> Unfortunately at the moment the command line utilities do not support
> generating Ed25519 or Ed448 signatures for files.
>
> The reason is that in OpenSSL at the moment we only support pureEd25519,
> which does not prehash the "message" to be signed, as Viktor mentioned
> before.
Which means no support in dgst(1), but that manpage suggests pkeyutl(1),
which e.g. for RSA supports signing raw (unhashed input), but sadly the
EVP_PKEY_METHOD for ed25519 has a NULL sign() member, instead, somewhat
ironically, it has a digestsign() method. This is presumably to
distinguish between the pure and prehash variants. Therefore, presently
pkeyutl(1) indeed appears to not implement signing and verifying with
ed25519, this looks doable with modest effort.
--
Viktor.