libsignify_rs/

signify.rs

//
// signify-rs: cryptographically sign and verify files
// lib/src/signify.rs: Configuration and Mode definitions
//
// Copyright (c) 2025, 2026 Ali Polatel <alip@chesswob.org>
// SPDX-License-Identifier: ISC
//

use crate::crypto;
use crate::error::{Error, Result};
use crate::file::open;
use crate::ops::{check_checksums, KeyGenerator, Signer, Verifier};
use std::borrow::Cow;
use std::fs::File;
use std::path::PathBuf;

/// Operation mode.
#[derive(Debug, PartialEq, Eq, Clone, Copy)]
pub enum Mode {
    /// Check signatures.
    Check,
    /// Generate key pair.
    Generate,
    /// Sign a file.
    Sign,
    /// Verify a signature.
    Verify,
}

/// Runtime configuration.
///
/// This struct holds all configuration options parsed from command-line arguments
/// or set programmatically.
///
/// # Examples
///
/// ```
/// use libsignify_rs::signify::{Signify, Mode};
/// use std::path::PathBuf;
///
/// let mut signify = Signify::default();
/// signify.mode = Some(Mode::Sign);
/// signify.seckey = Some(PathBuf::from("key.sec"));
/// signify.embed = true;
///
/// assert_eq!(signify.mode, Some(Mode::Sign));
/// assert!(signify.embed);
/// ```
#[derive(Default, Debug)]
pub struct Signify {
    /// Operation mode.
    pub mode: Option<Mode>,
    /// Comment for key generation.
    pub comment: Option<String>,
    /// Embedding mode flag.
    pub embed: bool,
    /// Message file path.
    pub msg_file: Option<PathBuf>,
    /// No password flag.
    pub nopass: bool,
    /// Public key path.
    pub pubkey: Option<PathBuf>,
    /// Quiet mode flag.
    pub quiet: bool,
    /// Secret key path.
    pub seckey: Option<PathBuf>,
    /// Signature file path.
    pub sig_file: Option<PathBuf>,
    /// Gzip mode flag.
    pub gzip: bool,
    /// Key ID for keyring lookup.
    pub key_id: Option<i32>,
    /// Positional arguments.
    pub args: Vec<PathBuf>,

    // Pre-opened file handles
    /// Public key file handle.
    pub pubkey_file_handle: Option<File>,
    /// Secret key file handle.
    pub seckey_file_handle: Option<File>,
    /// Message file handle.
    pub msg_file_handle: Option<File>,
    /// Signature file handle.
    pub sig_file_handle: Option<File>,
    /// TTY file handle for password Prompt.
    pub tty_file_handle: Option<File>,
}

impl Signify {
    /// Execute the requested operation based on configuration.
    ///
    /// # Errors
    /// Returns errors if the operation fails or arguments are missing.
    pub fn execute(&mut self) -> Result<()> {
        match self.mode {
            Some(Mode::Generate) => self.execute_generate(),
            Some(Mode::Sign) => self.execute_sign(),
            Some(Mode::Verify) => self.execute_verify(),
            Some(Mode::Check) => self.execute_check(),
            None => Err(Error::MissingMode),
        }
    }

    /// Sandbox the binary depending on the requested operation.
    ///
    /// Call this before calling `execute`.
    pub fn sandbox(&self) -> Result<()> {
        match self.mode {
            Some(Mode::Generate) => self.sandbox_generate(),
            Some(Mode::Sign) => self.sandbox_sign(),
            Some(Mode::Verify) => self.sandbox_verify(),
            Some(Mode::Check) => self.sandbox_check(),
            None => Err(Error::MissingMode),
        }
    }

    /// Validate required arguments before preopen/sandbox.
    ///
    /// Call this before calling `preopen` to catch missing arguments early.
    pub fn validate(&self) -> Result<()> {
        match self.mode {
            Some(Mode::Generate) => self.validate_generate(),
            Some(Mode::Sign) => self.validate_sign(),
            Some(Mode::Verify) => self.validate_verify(),
            Some(Mode::Check) => self.validate_check(),
            None => Err(Error::MissingMode),
        }
    }

    /// Pre-open files before sandboxing.
    pub fn preopen(&mut self) -> Result<()> {
        match self.mode {
            Some(Mode::Generate) => self.preopen_generate(),
            Some(Mode::Sign) => self.preopen_sign(),
            Some(Mode::Verify) => self.preopen_verify(),
            Some(Mode::Check) => self.preopen_check(),
            None => Err(Error::MissingMode),
        }
    }

    fn execute_generate(&mut self) -> Result<()> {
        let pubkey_path = self.pubkey.as_ref().ok_or(Error::RequiredArg("-p"))?;
        let seckey_path = self.seckey.as_ref().ok_or(Error::RequiredArg("-s"))?;

        let rounds = if self.nopass {
            0
        } else {
            crypto::DEFAULT_ROUNDS
        };
        let comment = self.comment.as_deref().unwrap_or("signify");

        let mut generator = KeyGenerator::new().rounds(rounds).comment(comment);
        if let Some(id) = self.key_id {
            generator = generator.key_id(id);
        }
        if let Some(tty) = self.tty_file_handle.take() {
            generator = generator.tty_handle(tty);
        }
        // Use generate_io if handles are available.
        if let (Some(pub_file), Some(sec_file)) = (
            self.pubkey_file_handle.take(),
            self.seckey_file_handle.take(),
        ) {
            generator.generate_io(pub_file, sec_file)
        } else {
            generator.generate(pubkey_path, seckey_path)
        }
    }

    fn execute_sign(&mut self) -> Result<()> {
        let seckey_path = self.seckey.as_ref().ok_or(Error::RequiredArg("-s"))?;
        let msg_path = self.msg_file.as_ref().ok_or(Error::RequiredArg("-m"))?;
        let sig_path = if let Some(sig_file) = self.sig_file.as_ref() {
            Cow::Borrowed(sig_file)
        } else {
            let mut sig_file = msg_path.as_os_str().to_os_string();
            sig_file.push(".sig");
            Cow::Owned(sig_file.into())
        };

        let mut signer = Signer::new()
            .seckey(seckey_path)
            .embed(self.embed)
            .gzip(self.gzip);
        if let Some(id) = self.key_id {
            signer = signer.key_id(id);
        }
        if let Some(tty) = self.tty_file_handle.take() {
            signer = signer.tty_handle(tty);
        }

        signer.sign_io(
            msg_path,
            &sig_path,
            self.msg_file_handle.take(),
            self.sig_file_handle.take(),
            self.seckey_file_handle.take(),
        )
    }

    fn execute_verify(&mut self) -> Result<()> {
        let (msg_path, sig_path) = self.resolve_verify_paths()?;

        let pubkey_path = match &self.pubkey {
            Some(p) => p,
            None => return Err(Error::RequiredArg("-p")),
        };

        let verifier = Verifier::new()
            .quiet(self.quiet)
            .embed(self.embed)
            .gzip(self.gzip)
            .pubkey(pubkey_path);

        verifier.verify_io(
            &msg_path,
            &sig_path,
            self.msg_file_handle.take(),
            self.sig_file_handle.take(),
            self.pubkey_file_handle.take(),
        )
    }

    fn execute_check(&mut self) -> Result<()> {
        // Public key is required (no autolocate).
        let pubkey_path = self.pubkey.as_ref().ok_or(Error::RequiredArg("-p"))?;
        let sig_path = self
            .sig_file
            .as_ref()
            .or_else(|| self.args.first())
            .ok_or(Error::RequiredArg("-x"))?;

        check_checksums(
            Some(pubkey_path),
            sig_path,
            self.sig_file_handle.take(),
            self.quiet,
        )
    }

    fn sandbox_generate(&self) -> Result<()> {
        #[cfg(target_os = "freebsd")]
        {
            return self.sandbox_generate_freebsd();
        }

        #[cfg(target_os = "netbsd")]
        {
            return self.sandbox_generate_netbsd();
        }

        #[cfg(target_os = "openbsd")]
        {
            return self.sandbox_generate_openbsd();
        }

        #[cfg(any(target_os = "linux", target_os = "android"))]
        {
            return self.sandbox_generate_linux();
        }

        #[allow(unreachable_code)]
        Ok(())
    }

    fn sandbox_sign(&self) -> Result<()> {
        #[cfg(target_os = "freebsd")]
        {
            return self.sandbox_sign_freebsd();
        }

        #[cfg(target_os = "netbsd")]
        {
            return self.sandbox_sign_netbsd();
        }

        #[cfg(target_os = "openbsd")]
        {
            return self.sandbox_sign_openbsd();
        }

        #[cfg(any(target_os = "linux", target_os = "android"))]
        {
            return self.sandbox_sign_linux();
        }

        #[allow(unreachable_code)]
        Ok(())
    }

    fn sandbox_verify(&self) -> Result<()> {
        #[cfg(target_os = "freebsd")]
        {
            return self.sandbox_verify_freebsd();
        }

        #[cfg(target_os = "netbsd")]
        {
            return self.sandbox_verify_netbsd();
        }

        #[cfg(target_os = "openbsd")]
        {
            return self.sandbox_verify_openbsd();
        }

        #[cfg(any(target_os = "linux", target_os = "android"))]
        {
            return self.sandbox_verify_linux();
        }

        #[allow(unreachable_code)]
        Ok(())
    }

    fn sandbox_check(&self) -> Result<()> {
        #[cfg(target_os = "freebsd")]
        {
            return self.sandbox_check_freebsd();
        }

        #[cfg(target_os = "netbsd")]
        {
            return self.sandbox_check_netbsd();
        }

        #[cfg(target_os = "openbsd")]
        {
            return self.sandbox_check_openbsd();
        }

        #[cfg(any(target_os = "linux", target_os = "android"))]
        {
            return self.sandbox_check_linux();
        }

        #[allow(unreachable_code)]
        Ok(())
    }

    #[cfg(target_os = "freebsd")]
    fn sandbox_generate_freebsd(&self) -> Result<()> {
        use capsicum::{enter, CapRights, FileRights, Right};

        // Confine resource limits.
        Self::sandbox_rlimit_bsd(true)?;

        // Confine using Capsicum.
        // Generate writes to pubkey and seckey.
        let mut rights = FileRights::new();
        rights.allow(Right::Write);
        rights.allow(Right::Seek);
        rights.allow(Right::Fstat);

        if let Some(f) = &self.pubkey_file_handle {
            rights.limit(f).map_err(Error::Capsicum)?;
        }
        if let Some(f) = &self.seckey_file_handle {
            rights.limit(f).map_err(Error::Capsicum)?;
        }

        if let Some(f) = &self.tty_file_handle {
            let mut tty_rights = FileRights::new();
            tty_rights.allow(Right::Read);
            tty_rights.allow(Right::Write);
            tty_rights.allow(Right::Ioctl);
            tty_rights.limit(f).map_err(Error::Capsicum)?;
        }

        // Enter capability mode.
        enter().map_err(Error::Capsicum)?;

        Ok(())
    }

    #[cfg(target_os = "freebsd")]
    fn sandbox_sign_freebsd(&self) -> Result<()> {
        use capsicum::{enter, CapRights, FileRights, Right};

        // Confine resource limits.
        Self::sandbox_rlimit_bsd(true)?;

        // Confine using Capsicum.
        let mut r_rights = FileRights::new();
        r_rights.allow(Right::Read);
        r_rights.allow(Right::Seek);
        r_rights.allow(Right::Fstat);

        let mut w_rights = FileRights::new();
        w_rights.allow(Right::Write);
        w_rights.allow(Right::Seek);
        w_rights.allow(Right::Fstat);

        if let Some(f) = &self.seckey_file_handle {
            r_rights.limit(f).map_err(Error::Capsicum)?;
        }
        if let Some(f) = &self.msg_file_handle {
            r_rights.limit(f).map_err(Error::Capsicum)?;
        }

        // sig file is output.
        if let Some(f) = &self.sig_file_handle {
            w_rights.limit(f).map_err(Error::Capsicum)?;
        }

        if let Some(f) = &self.tty_file_handle {
            let mut tty_rights = FileRights::new();
            tty_rights.allow(Right::Read);
            tty_rights.allow(Right::Write);
            tty_rights.allow(Right::Ioctl);
            tty_rights.limit(f).map_err(Error::Capsicum)?;
        }

        // Enter capability mode.
        enter().map_err(Error::Capsicum)?;

        Ok(())
    }

    #[cfg(target_os = "freebsd")]
    fn sandbox_verify_freebsd(&self) -> Result<()> {
        use capsicum::{enter, CapRights, FileRights, Right};

        // Confine resource limits.
        Self::sandbox_rlimit_bsd(true)?;

        // Confine using Capsicum.
        let mut r_rights = FileRights::new();
        r_rights.allow(Right::Read);
        r_rights.allow(Right::Seek);
        r_rights.allow(Right::Fstat);

        if let Some(f) = &self.pubkey_file_handle {
            r_rights.limit(f).map_err(Error::Capsicum)?;
        }

        // In verify, msg_file could be input or output (if embed/gzip extraction).
        // sig_file is input.
        if let Some(f) = &self.sig_file_handle {
            r_rights.limit(f).map_err(Error::Capsicum)?;
        }

        if let Some(f) = &self.msg_file_handle {
            if self.embed || self.gzip {
                let mut w_rights = FileRights::new();
                w_rights.allow(Right::Write);
                w_rights.allow(Right::Seek);
                w_rights.allow(Right::Fstat);
                w_rights.limit(f).map_err(Error::Capsicum)?;
            } else {
                r_rights.limit(f).map_err(Error::Capsicum)?;
            }
        }

        // Enter capability mode.
        enter().map_err(Error::Capsicum)?;

        Ok(())
    }

    #[cfg(target_os = "freebsd")]
    fn sandbox_check_freebsd(&self) -> Result<()> {
        // Confine resource limits.
        Self::sandbox_rlimit_bsd(false)?;

        // TODO: Opening multiple files from a list in strict capability mode requires work.
        Ok(())
    }

    #[cfg(target_os = "netbsd")]
    fn sandbox_generate_netbsd(&self) -> Result<()> {
        // Confine resource limits.
        Self::sandbox_rlimit_bsd(true)?;

        Ok(())
    }

    #[cfg(target_os = "netbsd")]
    fn sandbox_sign_netbsd(&self) -> Result<()> {
        // Confine resource limits.
        Self::sandbox_rlimit_bsd(true)?;

        Ok(())
    }

    #[cfg(target_os = "netbsd")]
    fn sandbox_verify_netbsd(&self) -> Result<()> {
        // Confine resource limits.
        Self::sandbox_rlimit_bsd(true)?;

        Ok(())
    }

    #[cfg(target_os = "netbsd")]
    fn sandbox_check_netbsd(&self) -> Result<()> {
        // Confine resource limits.
        Self::sandbox_rlimit_bsd(false)?;

        Ok(())
    }

    #[cfg(target_os = "openbsd")]
    fn sandbox_generate_openbsd(&self) -> Result<()> {
        use pledge::pledge;
        use unveil::unveil;

        // Confine resource limits.
        Self::sandbox_rlimit_bsd(true)?;

        // Confine using unveil(2).
        unveil("/dev/tty", "rw")?;
        unveil("", "")?;

        // Confine using pledge(2).
        pledge("stdio tty", None)?;

        Ok(())
    }

    #[cfg(target_os = "openbsd")]
    fn sandbox_sign_openbsd(&self) -> Result<()> {
        use pledge::pledge;
        use unveil::unveil;

        // Confine resource limits.
        Self::sandbox_rlimit_bsd(true)?;

        // Confine using unveil(2).
        unveil("/dev/tty", "rw")?;
        unveil("", "")?;

        // Confine using pledge(2).
        pledge("stdio tty", None)?;

        Ok(())
    }

    #[cfg(target_os = "openbsd")]
    fn sandbox_verify_openbsd(&self) -> Result<()> {
        use pledge::pledge;
        use unveil::unveil;

        // Confine resource limits.
        Self::sandbox_rlimit_bsd(true)?;

        // Confine using unveil(2).
        unveil("", "")?;

        // Confine using pledge(2).
        pledge("stdio", None)?;

        Ok(())
    }

    #[cfg(target_os = "openbsd")]
    fn sandbox_check_openbsd(&self) -> Result<()> {
        use pledge::pledge;
        use unveil::unveil;

        // Confine resource limits.
        Self::sandbox_rlimit_bsd(false)?;

        // Confine using unveil(2).
        unveil("/", "r")?;
        unveil("", "")?;

        // Confine using pledge(2).
        pledge("stdio rpath", None)?;

        Ok(())
    }

    #[cfg(any(target_os = "freebsd", target_os = "netbsd", target_os = "openbsd"))]
    fn sandbox_rlimit_bsd(create: bool) -> Result<()> {
        use nix::sys::resource::{setrlimit, Resource};

        // Set nprocs and filesize rlimits to zero.
        // Set memory lock and msgqueue rlimits to zero.
        // Set core dump file size to zero.
        const CONFINE_RLIMIT: &[Resource] = &[
            Resource::RLIMIT_CORE,
            Resource::RLIMIT_NPROC,
            Resource::RLIMIT_MEMLOCK,
        ];
        for resource in CONFINE_RLIMIT {
            setrlimit(*resource, 0, 0)?;
        }
        if !create {
            setrlimit(Resource::RLIMIT_FSIZE, 0, 0)?;
        }

        Ok(())
    }

    #[cfg(any(target_os = "linux", target_os = "android"))]
    fn sandbox_basic_linux() -> Result<()> {
        use nix::sys::prctl::{set_dumpable, set_no_new_privs};
        // TODO: Patch nix to support set_mdwe, and drop capctl.
        use capctl::{set_mdwe, MDWEFlags};

        // Set no-new-privileges (NNP) bit.
        set_no_new_privs()?;

        // Set dumpable attribute to not-dumpable.
        set_dumpable(false)?;

        // Set memory-deny-write-execute (best-effort).
        let _ = set_mdwe(MDWEFlags::REFUSE_EXEC_GAIN);

        Ok(())
    }

    #[cfg(any(target_os = "linux", target_os = "android"))]
    fn sandbox_rlimit_linux(create: bool) -> Result<()> {
        use nix::sys::resource::{setrlimit, Resource};

        // Set nprocs rlimits to zero.
        // Set locks, memory lock and msgqueue rlimits to zero.
        // Set core dump file size to zero.
        const CONFINE_RLIMIT: &[Resource] = &[
            Resource::RLIMIT_CORE,
            Resource::RLIMIT_NPROC,
            Resource::RLIMIT_LOCKS,
            Resource::RLIMIT_MEMLOCK,
            Resource::RLIMIT_MSGQUEUE,
        ];
        for resource in CONFINE_RLIMIT {
            setrlimit(*resource, 0, 0)?;
        }
        if !create {
            setrlimit(Resource::RLIMIT_FSIZE, 0, 0)?;
        }

        Ok(())
    }

    #[cfg(any(target_os = "linux", target_os = "android"))]
    fn sandbox_generate_linux(&self) -> Result<()> {
        // Basic sandboxing.
        Self::sandbox_basic_linux()?;

        // Confine resource limits.
        Self::sandbox_rlimit_linux(true)?;

        // Confine using landlock(7) (best effort).
        let _ = Self::sandbox_generate_landlock();

        Ok(())
    }

    #[cfg(any(target_os = "linux", target_os = "android"))]
    fn sandbox_sign_linux(&self) -> Result<()> {
        // Basic sandboxing.
        Self::sandbox_basic_linux()?;

        // Confine resource limits.
        Self::sandbox_rlimit_linux(true)?;

        // Confine using landlock(7) (best effort).
        let _ = Self::sandbox_sign_landlock();

        Ok(())
    }

    #[cfg(any(target_os = "linux", target_os = "android"))]
    fn sandbox_verify_linux(&self) -> Result<()> {
        // Basic sandboxing.
        Self::sandbox_basic_linux()?;

        // Confine resource limits.
        Self::sandbox_rlimit_linux(true)?;

        // Confine using landlock(7) (best effort).
        let _ = Self::sandbox_verify_landlock();

        Ok(())
    }

    #[cfg(any(target_os = "linux", target_os = "android"))]
    fn sandbox_check_linux(&self) -> Result<()> {
        // Basic sandboxing.
        Self::sandbox_basic_linux()?;

        // Confine resource limits.
        Self::sandbox_rlimit_linux(false)?;

        // Confine using landlock(7) (best effort).
        let _ = Self::sandbox_check_landlock();

        Ok(())
    }

    #[cfg(any(target_os = "linux", target_os = "android"))]
    fn sandbox_generate_landlock() -> Result<()> {
        use landlock::{AccessFs, BitFlags, RulesetCreatedAttr};

        // Initialize landock(7) ruleset.
        let mut ruleset = Self::sandbox_init_landlock()?;

        // Allow read/write/ioctl to /dev/tty for password prompt.
        // Allow read from /dev/{,u}random for RNG.
        let confine_path: &[(&str, BitFlags<AccessFs, u64>)] = &[
            (
                "/dev/tty",
                AccessFs::ReadFile | AccessFs::WriteFile | AccessFs::IoctlDev,
            ),
            ("/dev/random", AccessFs::ReadFile.into()),
            ("/dev/urandom", AccessFs::ReadFile.into()),
        ];
        for (path, access_fs) in confine_path {
            ruleset = ruleset.add_rules(landlock::path_beneath_rules(&[path], *access_fs))?;
        }

        ruleset.restrict_self()?;

        Ok(())
    }

    #[cfg(any(target_os = "linux", target_os = "android"))]
    fn sandbox_sign_landlock() -> Result<()> {
        Self::sandbox_generate_landlock()
    }

    #[cfg(any(target_os = "linux", target_os = "android"))]
    fn sandbox_verify_landlock() -> Result<()> {
        // Install empty landlock(7) filter to deny all access.
        Self::sandbox_init_landlock()?.restrict_self()?;

        Ok(())
    }

    #[cfg(any(target_os = "linux", target_os = "android"))]
    fn sandbox_check_landlock() -> Result<()> {
        use landlock::{AccessFs, RulesetCreatedAttr};

        // Initialize landock(7) ruleset.
        let ruleset = Self::sandbox_init_landlock()?;

        // Create a read-only sandbox.
        ruleset
            .add_rules(landlock::path_beneath_rules(&["/"], AccessFs::ReadFile))?
            .restrict_self()?;

        Ok(())
    }

    #[cfg(any(target_os = "linux", target_os = "android"))]
    fn sandbox_init_landlock() -> Result<landlock::RulesetCreated> {
        use landlock::{
            Access, AccessFs, AccessNet, CompatLevel, Compatible, Ruleset, RulesetAttr, Scope, ABI,
        };

        Ok(Ruleset::default()
            .handle_access(AccessFs::from_all(ABI::V6))?
            .handle_access(AccessNet::from_all(ABI::V6))?
            .scope(Scope::from_all(ABI::V6))?
            .set_compatibility(CompatLevel::BestEffort)
            .create()?)
    }

    fn preopen_tty(&mut self) -> Result<()> {
        #[cfg(unix)]
        if !self.nopass {
            use std::os::unix::fs::OpenOptionsExt;

            // Attempt to open /dev/tty.
            // It may not be available for noninteractive uses.
            self.tty_file_handle = std::fs::OpenOptions::new()
                .read(true)
                .write(true)
                .custom_flags(nix::libc::O_NOFOLLOW)
                .open("/dev/tty")
                .ok();
        }
        Ok(())
    }

    fn preopen_generate(&mut self) -> Result<()> {
        self.preopen_tty()?;

        let pubkey_path = self.pubkey.as_ref().ok_or(Error::RequiredArg("-p"))?;
        let seckey_path = self.seckey.as_ref().ok_or(Error::RequiredArg("-s"))?;

        self.pubkey_file_handle = Some(open(pubkey_path, true)?);
        self.seckey_file_handle = Some(open(seckey_path, true)?);

        Ok(())
    }

    fn preopen_sign(&mut self) -> Result<()> {
        self.preopen_tty()?;

        if let Some(path) = &self.seckey {
            if path.as_os_str() != "-" {
                self.seckey_file_handle = Some(open(path, false)?);
            }
        }

        if let Some(path) = &self.msg_file {
            if path.as_os_str() != "-" {
                self.msg_file_handle = Some(open(path, false)?);
            }
        }

        let sig_path = self.sig_file.clone().unwrap_or_else(|| {
            if let Some(msg) = &self.msg_file {
                let mut sig_name = msg.as_os_str().to_os_string();
                sig_name.push(".sig");
                PathBuf::from(sig_name)
            } else {
                PathBuf::from("-")
            }
        });

        if sig_path.as_os_str() != "-" {
            self.sig_file_handle = Some(open(&sig_path, true)?);
        }

        Ok(())
    }

    fn preopen_verify(&mut self) -> Result<()> {
        if let Some(path) = &self.pubkey {
            self.pubkey_file_handle = Some(open(path, false)?);
        }

        let (msg_path, sig_path) = self.resolve_verify_paths()?;
        if msg_path.as_os_str() != "-" {
            // For verify, msg is input unless embed or gzip (where it is output)
            // If embed/gzip, we create it new.
            if self.embed || self.gzip {
                self.msg_file_handle = Some(open(&msg_path, true)?);
            } else {
                self.msg_file_handle = Some(open(&msg_path, false)?);
            }
        }

        if sig_path.as_os_str() != "-" {
            self.sig_file_handle = Some(open(&sig_path, false)?);
        }

        Ok(())
    }

    fn preopen_check(&mut self) -> Result<()> {
        if let Some(path) = &self.pubkey {
            self.pubkey_file_handle = Some(open(path, false)?);
        }

        let sig_path = self
            .sig_file
            .clone()
            .or_else(|| self.args.first().cloned())
            .unwrap_or_else(|| PathBuf::from("-"));
        if sig_path.as_os_str() != "-" {
            self.sig_file_handle = Some(open(&sig_path, false)?);
        }
        Ok(())
    }

    fn resolve_verify_paths(&self) -> Result<(PathBuf, PathBuf)> {
        if self.gzip {
            let sig = self
                .sig_file
                .clone()
                .or_else(|| self.args.first().cloned())
                .unwrap_or_else(|| PathBuf::from("-"));
            let msg = self.msg_file.clone().unwrap_or_else(|| PathBuf::from("-"));
            Ok((msg, sig))
        } else {
            let msg = self.msg_file.clone().ok_or(Error::RequiredArg("-m"))?;
            let sig = self
                .sig_file
                .clone()
                .or_else(|| self.args.first().cloned())
                .unwrap_or_else(|| {
                    let mut sig_name = msg.as_os_str().to_os_string();
                    sig_name.push(".sig");
                    PathBuf::from(sig_name)
                });
            Ok((msg, sig))
        }
    }

    fn validate_generate(&self) -> Result<()> {
        if self.pubkey.is_none() {
            return Err(Error::RequiredArg("-p"));
        }
        if self.seckey.is_none() {
            return Err(Error::RequiredArg("-s"));
        }
        Ok(())
    }

    fn validate_sign(&self) -> Result<()> {
        if self.seckey.is_none() {
            return Err(Error::RequiredArg("-s"));
        }
        if self.msg_file.is_none() {
            return Err(Error::RequiredArg("-m"));
        }
        if self.gzip && self.sig_file.is_none() {
            return Err(Error::RequiredArg("-x"));
        }
        if self.sig_file.is_none() {
            if let Some(msg) = &self.msg_file {
                if msg.as_os_str() == "-" {
                    return Err(Error::RequiredArg("-x"));
                }
            }
        }
        Ok(())
    }

    fn validate_verify(&self) -> Result<()> {
        if self.pubkey.is_none() {
            return Err(Error::RequiredArg("-p"));
        }
        if !self.gzip && self.msg_file.is_none() {
            return Err(Error::RequiredArg("-m"));
        }
        Ok(())
    }

    fn validate_check(&self) -> Result<()> {
        if self.pubkey.is_none() {
            return Err(Error::RequiredArg("-p"));
        }
        if self.sig_file.is_none() && self.args.is_empty() {
            return Err(Error::RequiredArg("-x"));
        }
        Ok(())
    }
}