mirrors/minisign
1
0
Fork 0
mirror of https://github.com/jedisct1/minisign.git synced 2025-04-04 19:37:48 +03:00
Code Issues Projects Releases Packages Wiki Activity

Sync with the man page

Browse source 
Fixes #158
This commit is contained in:
Frank Denis 2025-03-11 18:52:52 +01:00
parent d973a7dd96
commit 00ba13443f
1 changed files with 337 additions and 350 deletions
Download patch file Download diff file Expand all files Collapse all files

687
index.html
View file

@ -1,177 +1,165 @@
<!doctype html>
<!DOCTYPE html>
<html lang="en-us">
<head>
<meta charset="UTF-8" />
<title>Minisign by Frank Denis</title>
<meta name="viewport" content="width=device-width, initial-scale=1" />
<link
rel="stylesheet"
type="text/css"
href="stylesheets/normalize.css"
media="screen"
/>
<link
href="https://fonts.googleapis.com/css?family=Open+Sans:400,700"
rel="stylesheet"
type="text/css"
/>
<link
rel="stylesheet"
type="text/css"
href="stylesheets/stylesheet.css"
media="screen"
/>
<link
rel="stylesheet"
type="text/css"
href="stylesheets/github-light.css"
media="screen"
/>
</head>
<head>
<meta charset="UTF-8" />
<title>Minisign by Frank Denis</title>
<meta name="viewport" content="width=device-width, initial-scale=1" />
<link
rel="stylesheet"
type="text/css"
href="stylesheets/normalize.css"
media="screen"
/>
<link
href="https://fonts.googleapis.com/css?family=Open+Sans:400,700"
rel="stylesheet"
type="text/css"
/>
<link
rel="stylesheet"
type="text/css"
href="stylesheets/stylesheet.css"
media="screen"
/>
<link
rel="stylesheet"
type="text/css"
href="stylesheets/github-light.css"
media="screen"
/>
</head>
<body>
<section class="page-header">
<h1 class="project-name">Minisign</h1>
<h2 class="project-tagline">
A dead simple tool to sign files and verify signatures.
</h2>
<a href="https://github.com/jedisct1/minisign" class="btn"
>View on GitHub</a
>
<a
href="https://github.com/jedisct1/minisign/tarball/master"
class="btn"
>Download source code</a
>
<a
href="https://github.com/jedisct1/minisign/releases/download/0.12/minisign-0.12-macos.zip"
class="btn"
>Download OSX binary</a
>
<a
href="https://github.com/jedisct1/minisign/releases/download/0.12/minisign-0.12-linux.tar.gz"
class="btn"
>Download Linux binary</a
>
<a href="https://wapm.io/package/jedisct1/minisign" class="btn"
>Download WebAssembly binary</a
>
<a
href="https://github.com/jedisct1/minisign/releases/download/0.12/minisign-0.12-win64.zip"
class="btn"
>Download Windows binary</a
>
</section>
<body>
<section class="page-header">
<h1 class="project-name">Minisign</h1>
<h2 class="project-tagline">
A dead simple tool to sign files and verify signatures.
</h2>
<a href="https://github.com/jedisct1/minisign" class="btn"
>View on GitHub</a
>
<a href="https://github.com/jedisct1/minisign/tarball/master" class="btn"
>Download source code</a
>
<a
href="https://github.com/jedisct1/minisign/releases/download/0.12/minisign-0.12-macos.zip"
class="btn"
>Download OSX binary</a
>
<a
href="https://github.com/jedisct1/minisign/releases/download/0.12/minisign-0.12-linux.tar.gz"
class="btn"
>Download Linux binary</a
>
<a href="https://wapm.io/package/jedisct1/minisign" class="btn"
>Download WebAssembly binary</a
>
<a
href="https://github.com/jedisct1/minisign/releases/download/0.12/minisign-0.12-win64.zip"
class="btn"
>Download Windows binary</a
>
</section>
<section class="main-content">
<h1>
<a
id="minisign"
class="anchor"
href="#minisign"
aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Minisign
</h1>
<section class="main-content">
<h1>
<a id="minisign" class="anchor" href="#minisign" aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Minisign
</h1>
<p>
Minisign is a dead simple tool to sign files and verify
signatures.
</p>
<p>Minisign is a dead simple tool to sign files and verify signatures.</p>
<p>
It is portable, lightweight, and uses the highly secure
<a href="https://ed25519.cr.yp.to/" target="blank">Ed25519</a>
public-key signature system.
</p>
<p>
It is portable, lightweight, and uses the highly secure
<a href="https://ed25519.cr.yp.to/" target="blank">Ed25519</a>
public-key signature system.
</p>
<h2>
<a
id="creating-a-key-pair"
class="anchor"
href="#creating-a-key-pair"
aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Creating a key pair
</h2>
<h2>
<a
id="creating-a-key-pair"
class="anchor"
href="#creating-a-key-pair"
aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Creating a key pair
</h2>
<pre><code>$ minisign -G
<pre><code>$ minisign -G
</code></pre>
<p>
The public key is printed and put into the
<code>minisign.pub</code> file. The secret key is encrypted and
saved as a file named <code>~/.minisign/minisign.key</code>.
</p>
<p>
The public key is printed and put into the
<code>minisign.pub</code> file. The secret key is encrypted and saved as
a file named <code>~/.minisign/minisign.key</code>.
</p>
<h2>
<a
id="signing-a-file"
class="anchor"
href="#signing-a-file"
aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Signing a file
</h2>
<h2>
<a
id="signing-a-file"
class="anchor"
href="#signing-a-file"
aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Signing a file
</h2>
<pre><code>$ minisign -Sm myfile.txt
<pre><code>$ minisign -Sm myfile.txt
</code></pre>
<p>
Or to include a comment in the signature, that will be verified
and displayed when verifying the file:
</p>
<p>
Or to include a comment in the signature, that will be verified and
displayed when verifying the file:
</p>
<pre><code>$ minisign -Sm myfile.txt -t 'This comment will be signed as well'
<pre><code>$ minisign -Sm myfile.txt -t 'This comment will be signed as well'
</code></pre>
<p>The signature is put into <code>myfile.txt.minisig</code>.</p>
<p>The signature is put into <code>myfile.txt.minisig</code>.</p>
<p>
Starting with version 0.8, multiple files can also be signed at
once:
</p>
<p>
Starting with version 0.8, multiple files can also be signed at once:
</p>
<pre><code>$ minisign -Sm file1.txt file2.txt *.jpg
<pre><code>$ minisign -Sm file1.txt file2.txt *.jpg
</code></pre>
<h2>
<a
id="verifying-a-file"
class="anchor"
href="#verifying-a-file"
aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Verifying a file
</h2>
<h2>
<a
id="verifying-a-file"
class="anchor"
href="#verifying-a-file"
aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Verifying a file
</h2>
<pre><code>$ minisign -Vm myfile.txt -P RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3
<pre><code>$ minisign -Vm myfile.txt -P RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3
</code></pre>
<p>or</p>
<p>or</p>
<pre><code>$ minisign -Vm myfile.txt -p signature.pub
<pre><code>$ minisign -Vm myfile.txt -p signature.pub
</code></pre>
<p>
This requires the signature <code>myfile.txt.minisig</code> to
be present in the same directory.
</p>
<p>
This requires the signature <code>myfile.txt.minisig</code> to be
present in the same directory.
</p>
<p>
The public key can either reside in a file (<code
>./minisign.pub</code
>
by default) or be directly specified on the command line.
</p>
<p>
The public key can either reside in a file (<code>./minisign.pub</code>
by default) or be directly specified on the command line.
</p>
<h2>
<a id="usage" class="anchor" href="#usage" aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Usage
</h2>
<h2>
<a id="usage" class="anchor" href="#usage" aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Usage
</h2>
<pre><code>
<pre><code>
Usage:
minisign -G [-f] [-p pubkey_file] [-s seckey_file] [-W]
minisign -R [-s seckey_file] [-p pubkey_file]
@ -201,248 +189,247 @@ minisign -V [-H] [-x sig_file] [-p pubkey_file | -P pubkey] [-o] [-q] -m file
-v display version number
</code></pre>
<h2>
<a
id="trusted-comments"
class="anchor"
href="#trusted-comments"
aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Trusted comments
</h2>
<h2>
<a
id="trusted-comments"
class="anchor"
href="#trusted-comments"
aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Trusted comments
</h2>
<p>
Signature files include an untrusted comment line that can be
freely modified, even after signature creation.
</p>
<p>
Signature files include an untrusted comment line that can be freely
modified even after the signature is created.
</p>
<p>
They also include a second comment line, that cannot be modified
without the secret key.
</p>
<p>
They also include a second comment line that cannot be modified without
the secret key.
</p>
<p>
Trusted comments can be used to add instructions or
application-specific metadata (intended file name, timestamps,
resource identifiers, version numbers to prevent downgrade
attacks).
</p>
<p>
Trusted comments can be used to add instructions or application-specific
metadata such as the intended file name, timestamps, resource
identifiers, or version numbers to prevent downgrade attacks.
</p>
<h2>
<a
id="compilation--installation"
class="anchor"
href="#compilation--installation"
aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Compilation / installation
</h2>
<p>
OpenBSD's
<a href="https://man.openbsd.org/signify"><code>signify(1)</code>></a>
is conceptually similar to Minisign.
<br />
Minisign creates signatures that can be verified by
<code>signify</code>; however, signatures created by
<code>signify</code>
cannot be verified with Minisign because Minisign expects a trusted
comment section to be present.
<br />
Trusted comments are crucial for describing what has been signed, in
addition to merely confirming that a signature exists.
</p>
<h3>Using Zig</h3>
<p>Dependencies:</p>
<ul>
<li><a href="http://doc.libsodium.org/">libsodium</a> (optional)</li>
</ul>
<h2>
<a
id="compilation--installation"
class="anchor"
href="#compilation--installation"
aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Compilation / installation
</h2>
<p>Compilation:</p>
<ul>
<li>With libsodium: <pre><code>$ zig build -Doptimize=ReleaseSmall</code></pre></li>
<li>Without libsodium: <pre><code>$ zig build -Doptimize=ReleaseSmall -Dwithout-libsodium</code></pre></li>
</ul>
<h3>Using Zig</h3>
<p>Dependencies:</p>
<ul>
<li><a href="http://doc.libsodium.org/">libsodium</a> (optional)</li>
</ul>
<h3>Using Cmake</h3>
<p>Dependencies</p>
<ul>
<li><a href="http://doc.libsodium.org/">libsodium</a></li>
<li>cmake</li>
<li>make</li>
<li>pkg-config</li>
<li>a C compilation toolchain</li>
</ul>
<p>Compilation:</p>
<ul>
<li>
With libsodium:
<pre><code>$ zig build -Doptimize=ReleaseSmall</code></pre>
</li>
<li>
Without libsodium:
<pre><code>$ zig build -Doptimize=ReleaseSmall -Dwithout-libsodium</code></pre>
</li>
</ul>
<p>Compilation:</p>
<h3>Using Cmake</h3>
<p>Dependencies</p>
<ul>
<li><a href="http://doc.libsodium.org/">libsodium</a></li>
<li>cmake</li>
<li>make</li>
<li>pkg-config</li>
<li>a C compilation toolchain</li>
</ul>
<pre><code>$ mkdir build
<p>Compilation:</p>
<pre><code>$ mkdir build
$ cd build
$ cmake ..
$ make
# make install</code></pre>
<h2>
<a
id="pre-hashing"
class="anchor"
href="#pre-hashing"
aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Pre-hashing
</h2>
<h2>
<a
id="pre-hashing"
class="anchor"
href="#pre-hashing"
aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Pre-hashing
</h2>
<p>
By default, files are signed and verified with very low memory
requirements, by pre-hashing the content.
</p>
<p>
By default, files are signed and verified with very low memory
requirements, by pre-hashing the content.
</p>
<p>
Signatures that are not pre-hashed can be rejected with the -H
switch. Support for these legacy signatures will eventually be
removed.
</p>
<p>
Signatures that are not pre-hashed can be rejected with the -H switch.
Support for these legacy signatures will eventually be removed.
</p>
<h2>
<a
id="signature-format"
class="anchor"
href="#signature-format"
aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Signature format
</h2>
<h2>
<a
id="signature-format"
class="anchor"
href="#signature-format"
aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Signature format
</h2>
<pre><code>untrusted comment: &lt;arbitrary text&gt;
<pre><code>untrusted comment: &lt;arbitrary text&gt;
base64(&lt;signature_algorithm&gt; || &lt;key_id&gt; || &lt;signature&gt;)
trusted_comment: &lt;arbitrary text&gt;
base64(&lt;global_signature&gt;)
</code></pre>
<ul>
<li>
<code>signature_algorithm</code>: <code>Ed</code> (legacy)
or <code>ED</code> (hashed)
</li>
<li>
<code>key_id</code>: 8 random bytes, matching the public key
</li>
<li>
<code>signature</code> (legacy):
<code>ed25519(&lt;file data&gt;)</code>
</li>
<li>
<code>signature</code> (prehashed):
<code>ed25519(Blake2b-512(&lt;file data&gt;))</code>
</li>
<li>
<code>global_signature</code>:
<code
>ed25519(&lt;signature&gt; ||
&lt;trusted_comment&gt;)</code
>
</li>
</ul>
<ul>
<li>
<code>signature_algorithm</code>: <code>Ed</code> (legacy) or
<code>ED</code> (hashed)
</li>
<li><code>key_id</code>: 8 random bytes, matching the public key</li>
<li>
<code>signature</code> (legacy):
<code>ed25519(&lt;file data&gt;)</code>
</li>
<li>
<code>signature</code> (prehashed):
<code>ed25519(Blake2b-512(&lt;file data&gt;))</code>
</li>
<li>
<code>global_signature</code>:
<code>ed25519(&lt;signature&gt; || &lt;trusted_comment&gt;)</code>
</li>
</ul>
<p>
New implementations must use the hashed signature format;
support for the legacy one is optional and should not be done by
default.
</p>
<p>
New implementations must use the hashed signature format; support for
the legacy one is optional and should not be done by default.
</p>
<h2>
<a
id="public-key-format"
class="anchor"
href="#public-key-format"
aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Public key format
</h2>
<h2>
<a
id="public-key-format"
class="anchor"
href="#public-key-format"
aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Public key format
</h2>
<pre><code>untrusted comment: &lt;arbitrary text&gt;
<pre><code>untrusted comment: &lt;arbitrary text&gt;
base64(&lt;signature_algorithm&gt; || &lt;key_id&gt; || &lt;public_key&gt;)
</code></pre>
<ul>
<li><code>signature_algorithm</code>: <code>Ed</code></li>
<li><code>key_id</code>: 8 random bytes</li>
<li><code>public_key</code>: Ed25519 public key</li>
</ul>
<ul>
<li><code>signature_algorithm</code>: <code>Ed</code></li>
<li><code>key_id</code>: 8 random bytes</li>
<li><code>public_key</code>: Ed25519 public key</li>
</ul>
<h2>
<a
id="secret-key-format"
class="anchor"
href="#secret-key-format"
aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Secret key format
</h2>
<h2>
<a
id="secret-key-format"
class="anchor"
href="#secret-key-format"
aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Secret key format
</h2>
<pre><code>untrusted comment: &lt;arbitrary text&gt;
<pre><code>untrusted comment: &lt;arbitrary text&gt;
base64(&lt;signature_algorithm&gt; || &lt;kdf_algorithm&gt; || &lt;cksum_algorithm&gt; ||
&lt;kdf_salt&gt; || &lt;kdf_opslimit&gt; || &lt;kdf_memlimit&gt; || &lt;keynum_sk&gt;)
</code></pre>
<ul>
<li><code>signature_algorithm</code>: <code>Ed</code></li>
<li><code>kdf_algorithm</code>: <code>Sc</code></li>
<li><code>cksum_algorithm</code>: <code>B2</code></li>
<li><code>kdf_salt</code>: 32 random bytes</li>
<li>
<code>kdf_opslimit</code>:
<code
>crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_SENSITIVE</code
>
</li>
<li>
<code>kdf_memlimit</code>:
<code
>crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_SENSITIVE</code
>
</li>
<li>
<code>keynum_sk</code>:
<code
>&lt;kdf_output&gt; ^ (&lt;key_id&gt; ||
&lt;secret_key&gt; || &lt;public_key&gt; ||
&lt;checksum&gt;)</code
>, 104 bytes
</li>
<li><code>key_id</code>: 8 random bytes</li>
<li><code>secret_key</code>: Ed25519 secret key</li>
<li><code>public_key</code>: Ed25519 public key</li>
<li>
<code>checksum</code>:
<code
>Blake2b-256(&lt;signature_algorithm&gt; ||
&lt;key_id&gt; || &lt;secret_key&gt; ||
&lt;public_key&gt;)</code
>, 32 bytes
</li>
</ul>
<ul>
<li><code>signature_algorithm</code>: <code>Ed</code></li>
<li><code>kdf_algorithm</code>: <code>Sc</code></li>
<li><code>cksum_algorithm</code>: <code>B2</code></li>
<li><code>kdf_salt</code>: 32 random bytes</li>
<li>
<code>kdf_opslimit</code>:
<code>crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_SENSITIVE</code>
</li>
<li>
<code>kdf_memlimit</code>:
<code>crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_SENSITIVE</code>
</li>
<li>
<code>keynum_sk</code>:
<code
>&lt;kdf_output&gt; ^ (&lt;key_id&gt; || &lt;secret_key&gt; ||
&lt;public_key&gt; || &lt;checksum&gt;)</code
>, 104 bytes
</li>
<li><code>key_id</code>: 8 random bytes</li>
<li><code>secret_key</code>: Ed25519 secret key</li>
<li><code>public_key</code>: Ed25519 public key</li>
<li>
<code>checksum</code>:
<code
>Blake2b-256(&lt;signature_algorithm&gt; || &lt;key_id&gt; ||
&lt;secret_key&gt; || &lt;public_key&gt;)</code
>, 32 bytes
</li>
</ul>
<h2>
<a
id="encryption"
class="anchor"
href="#encryption"
aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Encryption
</h2>
<h2>
<a id="encryption" class="anchor" href="#encryption" aria-hidden="true"
><span class="octicon octicon-link"></span></a
>Encryption
</h2>
Looking for an equally simple tool for file and stream encryption?
Check out
<a href="https://github.com/jedisct1/encpipe">Encpipe</a> and
<a href="https://github.com/FiloSottile/age">Age</a>.
Looking for an equally simple tool for file and stream encryption? Check
out
<a href="https://github.com/jedisct1/encpipe">Encpipe</a> and
<a href="https://github.com/FiloSottile/age">Age</a>.
<footer class="site-footer">
<span class="site-footer-owner"
><a href="https://github.com/jedisct1/minisign">Minisign</a>
is maintained by
<a href="https://github.com/jedisct1">jedisct1</a>.</span
>
<footer class="site-footer">
<span class="site-footer-owner"
><a href="https://github.com/jedisct1/minisign">Minisign</a>
is maintained by
<a href="https://github.com/jedisct1">jedisct1</a>.</span
>
<span class="site-footer-credits"
>This page was generated by
<a href="https://pages.github.com">GitHub Pages</a> using
the
<a href="https://github.com/jasonlong/cayman-theme"
>Cayman theme</a
>
by
<a href="https://twitter.com/jasonlong">Jason Long</a
>.</span
>
</footer>
</section>
</body>
<span class="site-footer-credits"
>This page was generated by
<a href="https://pages.github.com">GitHub Pages</a> using the
<a href="https://github.com/jasonlong/cayman-theme">Cayman theme</a>
by
<a href="https://twitter.com/jasonlong">Jason Long</a>.</span
>
</footer>
</section>
</body>
</html>