# sign stdin
#
# outputs signature to stdout
ssh-keygen -Y sign \
    -n <namespace> \            # namespace to constrain the signature to
    -f <ssh key>                # path to the private key to sign stdin with


# sign files
#
# generates <file1>.sig <file2>.sig <file...>.sig
ssh-keygen -Y sign \
    -n <namespace> \            # namespace to constrain the signature to
    -f <ssh key> \              # path to the private key to sign the files with
    <file1> <file2> <file...>   # list of files to sign


# check signature
#
# <signed data> in stdin (use cat, echo or just write + CTRL-D)
#
# note that although this is called "check-novalidate" it still checks the signature
# the "validate" part refers to advanced usage to validate on a list of allowed signers,
# revocation lists, etc.
ssh-keygen -Y check-novalidate \
    -n <namespace> \            # namespace the signature was generated in
    -f <public key> \           # path to the public key to validate the signature with
    -s <signature>              # path to the .sig signature file