1--- 2c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 3SPDX-License-Identifier: curl 4Long: pinnedpubkey 5Arg: <hashes> 6Help: Public key to verify peer against 7Protocols: TLS 8Category: tls 9Added: 7.39.0 10Multi: single 11See-also: 12 - hostpubsha256 13Example: 14 - --pinnedpubkey keyfile $URL 15 - --pinnedpubkey 'sha256//ce118b51897f4452dc' $URL 16--- 17 18# `--pinnedpubkey` 19 20Use the specified public key file (or hashes) to verify the peer. This can be 21a path to a file which contains a single public key in PEM or DER format, or 22any number of base64 encoded sha256 hashes preceded by 'sha256//' and 23separated by ';'. 24 25When negotiating a TLS or SSL connection, the server sends a certificate 26indicating its identity. A public key is extracted from this certificate and 27if it does not exactly match the public key provided to this option, curl 28aborts the connection before sending or receiving any data. 29 30This option is independent of option --insecure. If you use both options 31together then the peer is still verified by public key. 32 33PEM/DER support: 34 35OpenSSL and GnuTLS (added in 7.39.0), wolfSSL (added in 7.43.0), mbedTLS 36(added in 7.47.0), Secure Transport macOS 10.7+/iOS 10+ (added in 7.54.1), 37Schannel (added in 7.58.1) 38 39sha256 support: 40 41OpenSSL, GnuTLS and wolfSSL (added in 7.44.0), mbedTLS (added in 7.47.0), 42Secure Transport macOS 10.7+/iOS 10+ (added in 7.54.1), Schannel 43(added in 7.58.1) 44 45Other SSL backends not supported. 46
