The sha1hmac/sha256hmac/sha384hmac/sha512hmac command can compute and/or
verify HMAC and unkeyed checksum values for the contents of files.  If
you're familiar with the sha1sum/sha224sum/sha256sum/sha384sum/sha512sum
command from the "coreutils" package, then you already have a good idea
of how to use these HMAC tools.

The key difference is that when calculating an HMAC value, a key is
used, and that same key must be used when verifying the HMAC.  These
tools accept the key to be used either directly as a command-line
argument (-K), or from the contents of a file whose name is passed on
the command-line as an argument (-k).  (While a compiled-in key will be
used if neither is given, reliance on this behavior is discouraged.)


The HMAC values are computed as described by RFC2104, and the results
produced by the tools should exactly match test vectors published in
RFC2202 and RFC4231.

The HMAC tools will perform a self-test using a compiled-in key and a
prepackaged value each time they are run.


If you intend to use these tools to ensure that a binary has not been
tampered with, the verification has to be done prior to handing any
sensitive information to the binary which is being verified.

For example, if the tools are used to verify a kernel or kernel modules,
this verification must be done before any of the binaries being checked
are given any sensitive information.  This means that the verification
must be completed before any attempt is made to access encrypted disks
using dm-crypt.