From e74428c4648e9dedd8071f84f2104462acb23baf Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Mon, 25 Oct 2021 00:53:09 +0200 Subject: [PATCH] Update man page Fixes #106 --- share/man/man1/minisign.1 | 53 +++++++-------------------------------- src/manpage.md | 32 +++-------------------- 2 files changed, 13 insertions(+), 72 deletions(-) diff --git a/share/man/man1/minisign.1 b/share/man/man1/minisign.1 index 0b3612d..86317a7 100644 --- a/share/man/man1/minisign.1 +++ b/share/man/man1/minisign.1 @@ -1,7 +1,7 @@ .\" generated with Ronn/v0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3 . -.TH "MINISIGN" "1" "June 2020" "" "" +.TH "MINISIGN" "1" "October 2021" "" "" . .SH "NAME" \fBminisign\fR \- A dead simple tool to sign files and verify signatures\. @@ -48,10 +48,6 @@ File to sign/verify Combined with \-V, output the file content after verification . .TP -\fB\-H\fR -Combined with \-S, pre\-hash in order to sign large files -. -.TP \fB\-p \fR Public key file (default: \./minisign\.pub) . @@ -76,10 +72,18 @@ Add a one\-line untrusted comment Add a one\-line trusted comment . .TP +\fB\-l\fR +Sign using the legacy format +. +.TP \fB\-q\fR Quiet mode, suppress output . .TP +\fB\-H\fR +Requires the input to be prehashed +. +.TP \fB\-Q\fR Pretty quiet mode, only print the trusted comment . @@ -138,9 +142,6 @@ This requires the signature \fBmyfile\.txt\.minisig\fR to be present in the same The public key can either reside in a file (\fB\./minisign\.pub\fR by default) or be directly specified on the command line\. . .SH "Notes" -\fBTrusted comments\fR -. -.P Signature files include an untrusted comment line that can be freely modified, even after signature creation\. . .P @@ -149,41 +150,5 @@ They also include a second comment line, that cannot be modified without the sec .P Trusted comments can be used to add instructions or application\-specific metadata (intended file name, timestamps, resource identifiers, version numbers to prevent downgrade attacks)\. . -.P -\fBCompatibility with OpenBSD signify\fR -. -.P -Signatures written by \fBminisign\fR can be verified using OpenBSD\'s \fBsignify\fR tool: public key files and signature files are compatible\. -. -.P -However, \fBminisign\fR uses a slightly different format to store secret keys\. -. -.P -\fBMinisign\fR signatures include trusted comments in addition to untrusted comments\. Trusted comments are signed, thus verified, before being displayed\. -. -.P -This adds two lines to the signature files, that signify silently ignores\. -. -.P -\fBPre\-hashing\fR -. -.P -By default, signing and verification require as much memory as the size of the file\. -. -.P -Since \fBMinisign 0\.6\fR, huge files can be signed and verified with very low memory requirements, by pre\-hashing the content\. -. -.P -The \-H command\-line switch, in combination with \-S, generates a pre\-hashed signature (HashEdDSA): -. -.P -$ \fBminisign\fR \-SHm myfile\.txt -. -.P -Verification of such a signature doesn\'t require any specific switch: the appropriate algorithm will automatically be detected\. -. -.P -Signatures generated that way are not compatible with OpenBSD\'s \fBsignify\fR tool and are not compatible with \fBMinisign\fR versions prior to 0\.6\. -. .SH "AUTHOR" Frank Denis (github [at] pureftpd [dot] org) diff --git a/src/manpage.md b/src/manpage.md index 8dcce2a..6bb9ce2 100644 --- a/src/manpage.md +++ b/src/manpage.md @@ -34,8 +34,6 @@ These options control the actions of `minisign`. File to sign/verify * `-o`: Combined with -V, output the file content after verification - * `-H`: - Combined with -S, pre-hash in order to sign large files * `-p `: Public key file (default: ./minisign.pub) * `-P `: @@ -48,8 +46,12 @@ These options control the actions of `minisign`. Add a one-line untrusted comment * `-t `: Add a one-line trusted comment + * `-l`: + Sign using the legacy format * `-q`: Quiet mode, suppress output + * `-H`: + Requires the input to be prehashed * `-Q`: Pretty quiet mode, only print the trusted comment * `-R`: @@ -93,38 +95,12 @@ The public key can either reside in a file (`./minisign.pub` by default) or be d ## Notes -**Trusted comments** - Signature files include an untrusted comment line that can be freely modified, even after signature creation. They also include a second comment line, that cannot be modified without the secret key. Trusted comments can be used to add instructions or application-specific metadata (intended file name, timestamps, resource identifiers, version numbers to prevent downgrade attacks). -**Compatibility with OpenBSD signify** - -Signatures written by `minisign` can be verified using OpenBSD's `signify` tool: public key files and signature files are compatible. - -However, `minisign` uses a slightly different format to store secret keys. - -`Minisign` signatures include trusted comments in addition to untrusted comments. Trusted comments are signed, thus verified, before being displayed. - -This adds two lines to the signature files, that signify silently ignores. - -**Pre-hashing** - -By default, signing and verification require as much memory as the size of the file. - -Since `Minisign 0.6`, huge files can be signed and verified with very low memory requirements, by pre-hashing the content. - -The -H command-line switch, in combination with -S, generates a pre-hashed signature (HashEdDSA): - -$ `minisign` -SHm myfile.txt - -Verification of such a signature doesn't require any specific switch: the appropriate algorithm will automatically be detected. - -Signatures generated that way are not compatible with OpenBSD's `signify` tool and are not compatible with `Minisign` versions prior to 0.6. - ## AUTHOR Frank Denis (github [at] pureftpd [dot] org)