+

+Minisign

+ +

Minisign is a dead simple tool to sign files and verify signatures.

+ +

+Compilation / installation

+ +

Dependencies:

+ + + +

Compilation:

+ +
$ mkdir build
+$ cd build
+$ cmake ..
+$ make
+# make install
+
+ +

+Creating a key pair

+ +
$ minisign -G
+
+ +

The public key is printed and put into the minisign.pub file. The secret key +is encrypted and saved as minisign.key file.

+ +

+Signing a file

+ +
$ minisign -Sm myfile.txt
+
+ +

Or to include a comment in the signature, that will be verified and +displayed when verifying the file:

+ +
$ minisign -Sm myfile.txt -t 'This comment will be signed as well'
+
+ +

The signature is put into myfile.txt.minisig.

+ +

+Verifying a file

+ +
$ minisign -Vm myfile.txt -P RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3
+
+ +

or

+ +
$ minisign -Vm myfile.txt -p signature.pub
+
+ +

This requires the signature myfile.txt.minisig to be present in the same +directory.

+ +

The public key can either reside in a file (./minisign.pub by default) or be +directly specified on the command line.

+ +

+Usage

+ +
$ minisign -G [-p pubkey] [-s seckey]
+$ minisign -S [-x sigfile] [-s seckey] [-c untrusted_comment] [-t trusted_comment] -m file
+$ minisign -V [-x sigfile] [-p pubkeyfile | -P pubkey] [-q] -m file
+
+-G                generate a new key pair
+-S                sign a file
+-V                verify that a signature is valid for a given file
+-m <file>         file to sign/verify
+-p <pubkeyfile>   public key file (default: ./minisign.pub)
+-P <pubkey>       public key, as a base64 string
+-s <seckey>       secret key file (default: ./minisign.key)
+-x <sigfile>      signature file (default: <file>.minisig)
+-c <comment>      add a one-line untrusted comment
+-t <comment>      add a one-line trusted comment
+-q                quiet mode, suppress output
+-v                display version number
+
+ +

+Trusted comments

+ +

Signature files include an untrusted comment line that can be freely +modified, even after signature creation.

+ +

They also include a second comment line, that cannot be modified +without the secret key.

+ +

Trusted comments can be used to add instructions or application-specific +metadata (intended file name, timestamps, resource identifiers, +version numbers to prevent downgrade attacks).

+ +

+Compatibility with OpenBSD signify

+ +

Signature written by minisign can be verified using OpenBSD's signify +tool: public key files and signature files are compatible.

+ +

However, minisign uses a slightly different format to store secret keys.

+ +

Minisign signatures include trusted comments in addition to untrusted +comments. Trusted comments are signed, thus verified, before being +displayed.

+ +

This adds two lines to the signature files, that signify silently ignores.

+ +

+Signature format

+ +
untrusted comment: <arbitrary text>
+base64(<signature_algorithm> || <key_id> || <signature>)
+trusted_comment: <arbitrary text>
+base64(<global_signature>)
+
+ + + +

+Public key format

+ +
untrusted comment: <arbitrary text>
+base64(<signature_algorithm> || <key_id> || <public_key>)
+
+ + + +

+Secret key format

+ +
untrusted comment: <arbitrary text>
+base64(<signature_algorithm> || <kdf_algorithm> || <cksum_algorithm> ||
+       <kdf_salt> || <kdf_opslimit> || <kdf_memlimit> || <keynum_sk>)
+
+ + + + + +