xref: /curl/docs/cmdline-opts/pinnedpubkey.md (revision 75763a3e)
1---
2c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
3SPDX-License-Identifier: curl
4Long: pinnedpubkey
5Arg: <hashes>
6Help: Public key to verify peer against
7Protocols: TLS
8Category: tls
9Added: 7.39.0
10Multi: single
11See-also:
12  - hostpubsha256
13Example:
14  - --pinnedpubkey keyfile $URL
15  - --pinnedpubkey 'sha256//ce118b51897f4452dc' $URL
16---
17
18# `--pinnedpubkey`
19
20Use the specified public key file (or hashes) to verify the peer. This can be
21a path to a file which contains a single public key in PEM or DER format, or
22any number of base64 encoded sha256 hashes preceded by 'sha256//' and
23separated by ';'.
24
25When negotiating a TLS or SSL connection, the server sends a certificate
26indicating its identity. A public key is extracted from this certificate and
27if it does not exactly match the public key provided to this option, curl
28aborts the connection before sending or receiving any data.
29
30This option is independent of option --insecure. If you use both options
31together then the peer is still verified by public key.
32
33PEM/DER support:
34
35OpenSSL and GnuTLS (added in 7.39.0), wolfSSL (added in 7.43.0), mbedTLS
36(added in 7.47.0), Secure Transport macOS 10.7+/iOS 10+ (added in 7.54.1),
37Schannel (added in 7.58.1)
38
39sha256 support:
40
41OpenSSL, GnuTLS and wolfSSL (added in 7.44.0), mbedTLS (added in 7.47.0),
42Secure Transport macOS 10.7+/iOS 10+ (added in 7.54.1), Schannel
43(added in 7.58.1)
44
45Other SSL backends not supported.
46