p If no command line arguments were specified, .Nm will resort to default operation, implying .Fl D Fl o Ar /etc/signatures Fl t Ar sha256 .
p If the output file already exists, .Nm will save a backup copy in the same file only with a .Dq .old suffix.
p The following options are available: l -tag -width ".Fl p Ar prefix" t Fl A Append to the output file, don't overwrite it. t Fl a Add fingerprints for non-executable files as well. t Fl D Search system directories,
a /bin ,
a /sbin ,
a /lib ,
a /libexec , and
a /usr/libexec .
t Fl d Ar dir Scan for files in
.Ar dir .
Multiple uses of this flag can specify more than one directory.
 .It Fl F
 Try to guess the correct flags for every file.
t Fl h Display the help screen.
t Fl o Ar fingerprintdb Save the generated fingerprint database to
.Ar fingerprintdb .
t Fl p Ar prefix When storing files in the fingerprint database,
store the full pathnames of files with the leading
.Dq prefix
of the filenames removed.
t Fl r Scan recursively.
t Fl S Set the immutable flag on the created signatures file when done writing it.
t Fl T Put a timestamp on the generated file.
t Fl t Ar algorithm Use
.Ar algorithm
for the fingerprints.
Must be one of
.Dq sha256 ,
.Dq sha384 ,
or
.Dq sha512 .
t Fl v Verbose mode.
Print messages describing what operations are being done.
t Fl W By default,
.Nm
will exit when an error condition is encountered.
This option will
treat errors such as not being able to follow a symbolic link,
not being able to find the real path for a directory entry, or
not being able to calculate a hash of an entry as a warning,
rather than an error.
If errors are treated as warnings,
.Nm
will continue processing.
The default behaviour is to treat errors as fatal.
.El
.Sh FILES
a /etc/signatures .Sh EXAMPLES Fingerprint files in the common system directories using the default hashing algorithm .Dq sha256 and save to the default fingerprint database in
a /etc/signatures : d -literal -offset indent # veriexecgen .Ed
p Fingerprint files in
a /etc , appending to the default fingerprint database: d -literal -offset indent # veriexecgen -A -a -d /etc .Ed
p Fingerprint files in
a /path/to/somewhere using .Dq sha512 as the hashing algorithm, saving to
a /etc/somewhere.fp : d -literal -offset indent # veriexecgen -d /path/to/somewhere -t sha512 -o /etc/somewhere.fp .Ed .Sh SEE ALSO .Xr veriexec 4 , .Xr veriexec 5 , .Xr security 7 , .Xr veriexec 8 , .Xr veriexecctl 8