Verify Signature ECDSA signature with Openssl

Question

I want to create a signature and verify it with openssl. I want to have hex output of my signature.

it's my code

#create private key
openssl ecparam -genkey -name secp256k1 -rand /dev/urandom -noout -out private.pem

#public key derivation
openssl ec -in private.pem -pubout -out public.pem

#create signature
openssl dgst -sha256 -hex -sign private.pem msg.txt  > signature.hex

#check signature
openssl dgst -sha256 -verify public.pem -signature signature.hex msg.txt

I get this error:

Error Verifying Data
4573216364:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1220:
4573216364:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:386:Type=ECDSA_SIG

If I remove -hex during create signature, it works.

$ openssl version
OpenSSL 1.0.2s  28 May 2019

Answer 1

The openssl dgst command "-hex" parameter means that the output is NOT binary but a hex dump of the binary output.

Quote:

-hex

digest is to be output as a hex dump. This is the default case for a "normal" digest as opposed to a digital signature. See NOTES below for digital signatures using -hex.

And the note section:

Hex signatures cannot be verified using openssl. Instead, use "xxd -r" or similar program to transform the hex signature into a binary signature prior to verification.

So if you use the -hex option for a hex dump, you need to convert it back to binary yourself somehow before passing it into openssl to verify.