1*6236dae4SAndroid Build Coastguard Worker--- 2*6236dae4SAndroid Build Coastguard Workerc: Copyright (C) Daniel Stenberg, <[email protected]>, et al. 3*6236dae4SAndroid Build Coastguard WorkerSPDX-License-Identifier: curl 4*6236dae4SAndroid Build Coastguard WorkerLong: pinnedpubkey 5*6236dae4SAndroid Build Coastguard WorkerArg: <hashes> 6*6236dae4SAndroid Build Coastguard WorkerHelp: Public key to verify peer against 7*6236dae4SAndroid Build Coastguard WorkerProtocols: TLS 8*6236dae4SAndroid Build Coastguard WorkerCategory: tls 9*6236dae4SAndroid Build Coastguard WorkerAdded: 7.39.0 10*6236dae4SAndroid Build Coastguard WorkerMulti: single 11*6236dae4SAndroid Build Coastguard WorkerSee-also: 12*6236dae4SAndroid Build Coastguard Worker - hostpubsha256 13*6236dae4SAndroid Build Coastguard WorkerExample: 14*6236dae4SAndroid Build Coastguard Worker - --pinnedpubkey keyfile $URL 15*6236dae4SAndroid Build Coastguard Worker - --pinnedpubkey 'sha256//ce118b51897f4452dc' $URL 16*6236dae4SAndroid Build Coastguard Worker--- 17*6236dae4SAndroid Build Coastguard Worker 18*6236dae4SAndroid Build Coastguard Worker# `--pinnedpubkey` 19*6236dae4SAndroid Build Coastguard Worker 20*6236dae4SAndroid Build Coastguard WorkerUse the specified public key file (or hashes) to verify the peer. This can be 21*6236dae4SAndroid Build Coastguard Workera path to a file which contains a single public key in PEM or DER format, or 22*6236dae4SAndroid Build Coastguard Workerany number of base64 encoded sha256 hashes preceded by 'sha256//' and 23*6236dae4SAndroid Build Coastguard Workerseparated by ';'. 24*6236dae4SAndroid Build Coastguard Worker 25*6236dae4SAndroid Build Coastguard WorkerWhen negotiating a TLS or SSL connection, the server sends a certificate 26*6236dae4SAndroid Build Coastguard Workerindicating its identity. A public key is extracted from this certificate and 27*6236dae4SAndroid Build Coastguard Workerif it does not exactly match the public key provided to this option, curl 28*6236dae4SAndroid Build Coastguard Workeraborts the connection before sending or receiving any data. 29*6236dae4SAndroid Build Coastguard Worker 30*6236dae4SAndroid Build Coastguard WorkerThis option is independent of option --insecure. If you use both options 31*6236dae4SAndroid Build Coastguard Workertogether then the peer is still verified by public key. 32*6236dae4SAndroid Build Coastguard Worker 33*6236dae4SAndroid Build Coastguard WorkerPEM/DER support: 34*6236dae4SAndroid Build Coastguard Worker 35*6236dae4SAndroid Build Coastguard WorkerOpenSSL and GnuTLS (added in 7.39.0), wolfSSL (added in 7.43.0), mbedTLS 36*6236dae4SAndroid Build Coastguard Worker(added in 7.47.0), Secure Transport macOS 10.7+/iOS 10+ (added in 7.54.1), 37*6236dae4SAndroid Build Coastguard WorkerSchannel (added in 7.58.1) 38*6236dae4SAndroid Build Coastguard Worker 39*6236dae4SAndroid Build Coastguard Workersha256 support: 40*6236dae4SAndroid Build Coastguard Worker 41*6236dae4SAndroid Build Coastguard WorkerOpenSSL, GnuTLS and wolfSSL (added in 7.44.0), mbedTLS (added in 7.47.0), 42*6236dae4SAndroid Build Coastguard WorkerSecure Transport macOS 10.7+/iOS 10+ (added in 7.54.1), Schannel 43*6236dae4SAndroid Build Coastguard Worker(added in 7.58.1) 44*6236dae4SAndroid Build Coastguard Worker 45*6236dae4SAndroid Build Coastguard WorkerOther SSL backends not supported. 46