Require Zig 0.14

Fixes #159

.gitignore

@@ -23,5 +23,5 @@ CMakeFiles
 Makefile
 cmake_install.cmake
 minisign
-zig-cache
+.zig-cache
 zig-out

README.md

@@ -1,7 +1,6 @@
 ![CodeQL scan](https://github.com/jedisct1/minisign/workflows/CodeQL%20scan/badge.svg)
 
-Minisign
-========
+# Minisign
 
 Minisign is a dead simple tool to sign files and verify signatures.
 
@@ -13,15 +12,14 @@ public key:
 
     RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3
 
-Compilation / installation
---------------------------
+## Compilation / installation
 
 ## Building with Zig
 
 Dependencies:
 
-* [libsodium](https://libsodium.org/) (*optional*)
-* [zig](https://ziglang.org)
+- [libsodium](https://libsodium.org/) (_optional_)
+- [zig](https://ziglang.org)
 
 Compilation with libsodium, dynamically linked (libsodium will need to be installed on the system for the command to run):
 
@@ -43,10 +41,10 @@ In all these examples, `ReleaseFast` can be replaced with `ReleaseSmall` to favo
 
 Dependencies:
 
-* [libsodium](https://libsodium.org/) (*required*)
-* cmake
-* pkg-config
-* gcc or clang
+- [libsodium](https://libsodium.org/) (_required_)
+- cmake
+- pkg-config
+- gcc or clang
 
 Compilation:
 
@@ -64,6 +62,8 @@ or:
 
     $ cmake -D BUILD_STATIC_EXECUTABLES=1 ..
 
+## Pre-built packages
+
 Minisign is also available in Homebrew:
 
     $ brew install minisign
@@ -96,39 +96,37 @@ OQTDtJeciX9LF9hEbs1J1fzZHRdRhV4OTqcq0jTW9PXnrSSZlk1fbkE/5w==
 -----END PUBLIC KEY-----
 ```
 
-Additional tools, libraries and implementations
------------------------------------------------
+## Additional tools, libraries and implementations
 
-* [minizign](https://github.com/jedisct1/zig-minisign) is a compact
-implementation in Zig, that can also use ssh-encoded keys.
-* [minisign-misc](https://github.com/JayBrown/minisign-misc) is a very
-nice set of workflows and scripts for macOS to verify and sign files
-with minisign.
-* [go-minisign](https://github.com/jedisct1/go-minisign) is a small module
-in Go to verify Minisign signatures.
-* [rust-minisign](https://github.com/jedisct1/rust-minisign) is a Minisign
-library written in pure Rust, that can be embedded in other applications.
-* [rsign2](https://github.com/jedisct1/rsign2) is a reimplementation of
-the command-line tool in Rust.
-* [minisign (go)](https://github.com/aead/minisign) is a rewrite of Minisign
-in the Go language. It reimplements the CLI but can also be used as a library.
-* [minisign-verify](https://github.com/jedisct1/rust-minisign-verify) is
-a small Rust crate to verify Minisign signatures.
-* [minisign-net](https://github.com/bitbeans/minisign-net) is a .NET library
-to handle and create Minisign signatures.
-* [minisign](https://github.com/chm-diederichs/minisign) a Javascript
-implementation.
-* WebAssembly implementations of [rsign2](https://wapm.io/package/jedisct1/rsign2)
-and [minisign-cli](https://wapm.io/package/jedisct1/minisign) are available on
-WAPM.
-* [minisign-php](https://github.com/soatok/minisign-php) is a PHP implementation.
-* [py-minisign](https://github.com/x13a/py-minisign) is a Python
-implementation.
-* [minisign](https://hexdocs.pm/minisign/Minisign.html) is an Elixir implementation
+- [minizign](https://github.com/jedisct1/zig-minisign) is a compact
+  implementation in Zig, that can also use ssh-encoded keys.
+- [minisign-misc](https://github.com/JayBrown/minisign-misc) is a very
+  nice set of workflows and scripts for macOS to verify and sign files
+  with minisign.
+- [go-minisign](https://github.com/jedisct1/go-minisign) is a small module
+  in Go to verify Minisign signatures.
+- [rust-minisign](https://github.com/jedisct1/rust-minisign) is a Minisign
+  library written in pure Rust, that can be embedded in other applications.
+- [rsign2](https://github.com/jedisct1/rsign2) is a reimplementation of
+  the command-line tool in Rust.
+- [minisign (go)](https://github.com/aead/minisign) is a rewrite of Minisign
+  in the Go language. It reimplements the CLI but can also be used as a library.
+- [minisign-verify](https://github.com/jedisct1/rust-minisign-verify) is
+  a small Rust crate to verify Minisign signatures.
+- [minisign-net](https://github.com/bitbeans/minisign-net) is a .NET library
+  to handle and create Minisign signatures.
+- [minisign](https://github.com/chm-diederichs/minisign) a Javascript
+  implementation.
+- WebAssembly implementations of [rsign2](https://wapm.io/package/jedisct1/rsign2)
+  and [minisign-cli](https://wapm.io/package/jedisct1/minisign) are available on
+  WAPM.
+- [minisign-php](https://github.com/soatok/minisign-php) is a PHP implementation.
+- [py-minisign](https://github.com/x13a/py-minisign) is a Python
+  implementation.
+- [minisign](https://hexdocs.pm/minisign/Minisign.html) is an Elixir implementation
   (verification only)
 
-Signature determinism
----------------------
+## Signature determinism
 
 This implementation uses deterministic signatures, unless libsodium
 was compiled with the `ED25519_NONDETERMINISTIC` macro defined. This

build.zig

@@ -1,3 +1,4 @@
+const builtin = @import("builtin");
 const std = @import("std");
 
 pub fn build(b: *std.Build) !void {
@@ -13,34 +14,64 @@ pub fn build(b: *std.Build) !void {
         .optimize = optimize,
         .strip = true,
     });
+
+    if (builtin.zig_version.major == 0 and builtin.zig_version.minor < 14) {
+        @compileError("Building requires Zig 0.14.0 or later");
+    }
+
+    // fix Mach-O relocation
+    minisign.headerpad_max_install_names = true;
+
     minisign.linkLibC();
     if (use_libzodium) {
-        const libzodium_mod = b.createModule(.{
-            .root_source_file = b.path("src/libzodium.zig"),
-            .target = target,
-            .optimize = optimize,
-        });
-        const libzodium = b.addStaticLibrary(.{
-            .name = "zodium",
-            .root_module = libzodium_mod,
-            .strip = true,
-        });
+        var libzodium = lib: {
+            const libzodium_mod = b.createModule(.{
+                .root_source_file = b.path("src/libzodium/libzodium.zig"),
+                .target = target,
+                .optimize = optimize,
+            });
+            break :lib b.addStaticLibrary(.{
+                .name = "zodium",
+                .root_module = libzodium_mod,
+                .strip = true,
+            });
+        };
         libzodium.linkLibC();
         b.installArtifact(libzodium);
         minisign.root_module.addCMacro("LIBZODIUM", "1");
         minisign.linkLibrary(libzodium);
     } else {
+        var override_pkgconfig = false;
+        if (std.posix.getenv("LIBSODIUM_INCLUDE_PATH")) |path| {
+            minisign.addSystemIncludePath(.{ .cwd_relative = path });
+            override_pkgconfig = true;
+        }
+        if (std.posix.getenv("LIBSODIUM_LIB_PATH")) |path| {
+            minisign.addLibraryPath(.{ .cwd_relative = path });
+            override_pkgconfig = true;
+        }
+
+        for ([_][]const u8{ "/opt/homebrew/include", "/home/linuxbrew/.linuxbrew/include", "/usr/local/include" }) |path| {
+            std.fs.accessAbsolute(path, .{}) catch continue;
+            minisign.addSystemIncludePath(.{ .cwd_relative = path });
+        }
+        for ([_][]const u8{ "/opt/homebrew/lib", "/home/linuxbrew/.linuxbrew/lib", "/usr/local/lib" }) |path| {
+            std.fs.accessAbsolute(path, .{}) catch continue;
+            minisign.addLibraryPath(.{ .cwd_relative = path });
+        }
+        if (!use_static_linking) {
+            minisign.headerpad_max_install_names = true; // required to compile using Homebrew, see https://github.com/jedisct1/minisign/pull/155
+        }
         minisign.root_module.linkSystemLibrary(
             "sodium",
             .{
-                .use_pkg_config = .yes,
+                .use_pkg_config = if (override_pkgconfig) .no else .yes,
                 .preferred_link_mode = if (use_static_linking) .static else .dynamic,
             },
         );
     }
     minisign.addIncludePath(b.path("src"));
-    minisign.addSystemIncludePath(.{ .cwd_relative = "/opt/homebrew/include" });
-    minisign.addSystemIncludePath(.{ .cwd_relative = "/usr/local/include" });
+
     minisign.root_module.addCMacro("_GNU_SOURCE", "1");
     const source_files = &.{ "src/base64.c", "src/get_line.c", "src/helpers.c", "src/minisign.c" };
     minisign.addCSourceFiles(.{ .files = source_files });

build.zig.zon

@@ -1,6 +1,7 @@
 .{
-    .name = "minisign",
+    .name = .minisign,
     .version = "0.12.0",
+    .fingerprint = 0x280456c1fd373c55,
     .paths = .{
         "LICEMSE",
         "README.md",

share/man/man1/minisign.1

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "MINISIGN" "1" "January 2023" "" ""
+.TH "MINISIGN" "1" "March 2025" "" ""
 .
 .SH "NAME"
 \fBminisign\fR \- A dead simple tool to sign files and verify signatures\.
@@ -152,14 +152,17 @@ This requires the signature \fBmyfile\.txt\.minisig\fR to be present in the same
 .P
 The public key can either reside in a file (\fB\./minisign\.pub\fR by default) or be directly specified on the command line\.
 .
-.SH "Notes"
-Signature files include an untrusted comment line that can be freely modified, even after signature creation\.
+.SH "NOTES"
+Signature files include an untrusted comment line that can be freely modified even after the signature is created\.
 .
 .P
-They also include a second comment line, that cannot be modified without the secret key\.
+They also include a second comment line that cannot be modified without the secret key\.
 .
 .P
-Trusted comments can be used to add instructions or application\-specific metadata (intended file name, timestamps, resource identifiers, version numbers to prevent downgrade attacks)\.
+Trusted comments can be used to add instructions or application\-specific metadata such as the intended file name, timestamps, resource identifiers, or version numbers to prevent downgrade attacks\.
+.
+.P
+OpenBSD\'s \fBsignify(1)\fR is conceptually similar to Minisign\. Minisign creates signatures that can be verified by \fBsignify\fR; however, signatures created by \fBsignify\fR cannot be verified with Minisign because Minisign expects a trusted comment section to be present\. Trusted comments are crucial for describing what has been signed, in addition to merely confirming that a signature exists\.
 .
 .SH "AUTHOR"
 Frank Denis (github [at] pureftpd [dot] org)

src/helpers.c

@@ -15,7 +15,7 @@
 #include <string.h>
 
 #ifdef LIBZODIUM
-#    include "zodium.h"
+#    include "libzodium/sodium.h"
 #else
 #    include <sodium.h>
 #endif

src/libzodium/libzodium.zig

@@ -34,8 +34,8 @@ export fn crypto_pwhash_scryptsalsa208sha256(
 ) callconv(.C) c_int {
     crypto.pwhash.scrypt.kdf(
         std.heap.c_allocator,
-        out[0..outlen],
-        passwd[0..passwdlen],
+        out[0..@intCast(outlen)],
+        passwd[0..@intCast(passwdlen)],
         salt[0..32],
         crypto.pwhash.scrypt.Params.fromLimits(opslimit, memlimit),
     ) catch return -1;
@@ -59,7 +59,7 @@ export fn crypto_generichash_update(
     in: [*c]const u8,
     inlen: c_ulonglong,
 ) c_int {
-    state.*.update(in[0..inlen]);
+    state.*.update(in[0..@intCast(inlen)]);
     return 0;
 }
 
@@ -75,7 +75,7 @@ export fn crypto_generichash_final(
 }
 
 export fn crypto_sign_keypair(pk: [*c]u8, sk: [*c]u8) callconv(.C) c_int {
-    const kp = Ed25519.KeyPair.generate();
+    const kp = if (std.meta.hasFn(Ed25519.KeyPair, "generate")) Ed25519.KeyPair.generate() else (Ed25519.KeyPair.create(null) catch return -1);
     pk[0..32].* = kp.public_key.toBytes();
     sk[0..64].* = kp.secret_key.toBytes();
     return 0;
@@ -92,7 +92,7 @@ export fn crypto_sign_detached(
     const kp = Ed25519.KeyPair.fromSecretKey(sk) catch return -1;
     var noise: [Ed25519.noise_length]u8 = undefined;
     crypto.random.bytes(&noise);
-    const s = kp.sign(m[0..mlen], noise) catch return -1;
+    const s = kp.sign(m[0..@intCast(mlen)], noise) catch return -1;
     sig_bytes[0..64].* = s.toBytes();
     return 0;
 }
@@ -105,7 +105,7 @@ export fn crypto_sign_verify_detached(
 ) callconv(.C) c_int {
     const pk = Ed25519.PublicKey.fromBytes(pk_bytes[0..32].*) catch return -1;
     const sig = Ed25519.Signature.fromBytes(sig_bytes[0..64].*);
-    sig.verify(m[0..mlen], pk) catch return 1;
+    sig.verify(m[0..@intCast(mlen)], pk) catch return 1;
     return 0;
 }
 

src/manpage.md

@@ -1,8 +1,8 @@
 <!---
 This man page can be generated using ronn - https://rtomayko.github.io/ronn/
 -->
-minisign(1) -- A dead simple tool to sign files and verify signatures.
-======================================================================
+
+# minisign(1) -- A dead simple tool to sign files and verify signatures.
 
 ## SYNOPSIS
 
@@ -26,47 +26,46 @@ It is portable, lightweight, and uses the highly secure [Ed25519](http://ed25519
 
 These options control the actions of `minisign`.
 
-  * `-G`:
-    Generate a new key pair
-  * `-C`:
-    Change/remove the password of a secret key
-  * `-R`:
-    Recreate a public key file from a secret key file
-  * `-S`:
-    Sign files
-  * `-V`:
-    Verify that a signature is valid for a given file
-  * `-H`:
-    Requires the input to be prehashed
-  * `-l`:
-    Sign using the legacy format
-  * `-m <file>`:
-    File to sign/verify
-  * `-o`:
-    Combined with -V, output the file content after verification
-  * `-p <pubkey_file>`:
-    Public key file (default: ./minisign.pub)
-  * `-P <pubkey>`:
-    Public key, as a base64 string
-  * `-s <seckey_file>`:
-    Secret key file (default: ~/.minisign/minisign.key)
-  * `-W`:
-    Do not encrypt/decrypt the secret key with a password
-  * `-x <sig_file>`:
-    Signature file (default: &lt;file&gt;.minisig)
-  * `-c <comment>`:
-    Add a one-line untrusted comment
-  * `-t <comment>`:
-    Add a one-line trusted comment
-  * `-q`:
-    Quiet mode, suppress output
-  * `-Q`:
-    Pretty quiet mode, only print the trusted comment
-  * `-f`:
-    Force. Combined with -G, overwrite a previous key pair
-  * `-v`:
-    Display version number
-
+- `-G`:
+  Generate a new key pair
+- `-C`:
+  Change/remove the password of a secret key
+- `-R`:
+  Recreate a public key file from a secret key file
+- `-S`:
+  Sign files
+- `-V`:
+  Verify that a signature is valid for a given file
+- `-H`:
+  Requires the input to be prehashed
+- `-l`:
+  Sign using the legacy format
+- `-m <file>`:
+  File to sign/verify
+- `-o`:
+  Combined with -V, output the file content after verification
+- `-p <pubkey_file>`:
+  Public key file (default: ./minisign.pub)
+- `-P <pubkey>`:
+  Public key, as a base64 string
+- `-s <seckey_file>`:
+  Secret key file (default: ~/.minisign/minisign.key)
+- `-W`:
+  Do not encrypt/decrypt the secret key with a password
+- `-x <sig_file>`:
+  Signature file (default: &lt;file&gt;.minisig)
+- `-c <comment>`:
+  Add a one-line untrusted comment
+- `-t <comment>`:
+  Add a one-line trusted comment
+- `-q`:
+  Quiet mode, suppress output
+- `-Q`:
+  Pretty quiet mode, only print the trusted comment
+- `-f`:
+  Force. Combined with -G, overwrite a previous key pair
+- `-v`:
+  Display version number
 
 ## EXAMPLES
 
@@ -79,7 +78,7 @@ The public key is printed and put into the `minisign.pub` file. The secret key i
 Signing files
 
 $ `minisign` -Sm myfile.txt
-$ `minisign` -Sm myfile.txt myfile2.txt *.c
+$ `minisign` -Sm myfile.txt myfile2.txt \*.c
 
 Or to include a comment in the signature, that will be verified and displayed when verifying the file:
 
@@ -89,7 +88,7 @@ The secret key is loaded from `${MINISIGN_CONFIG_DIR}/minisign.key`, `~/.minisig
 
 Verifying a file
 
-$ `minisign` -Vm myfile.txt -P  &lt;pubkey&gt;
+$ `minisign` -Vm myfile.txt -P &lt;pubkey&gt;
 
 or
 
@@ -99,13 +98,15 @@ This requires the signature `myfile.txt.minisig` to be present in the same direc
 
 The public key can either reside in a file (`./minisign.pub` by default) or be directly specified on the command line.
 
-## Notes
+## NOTES
 
-Signature files include an untrusted comment line that can be freely modified, even after signature creation.
+Signature files include an untrusted comment line that can be freely modified even after the signature is created.
 
-They also include a second comment line, that cannot be modified without the secret key.
+They also include a second comment line that cannot be modified without the secret key.
 
-Trusted comments can be used to add instructions or application-specific metadata (intended file name, timestamps, resource identifiers, version numbers to prevent downgrade attacks).
+Trusted comments can be used to add instructions or application-specific metadata such as the intended file name, timestamps, resource identifiers, or version numbers to prevent downgrade attacks.
+
+OpenBSD's `signify(1)` is conceptually similar to Minisign. Minisign creates signatures that can be verified by `signify`; however, signatures created by `signify` cannot be verified with Minisign because Minisign expects a trusted comment section to be present. Trusted comments are crucial for describing what has been signed, in addition to merely confirming that a signature exists.
 
 ## AUTHOR
 

src/minisign.c

@@ -11,7 +11,7 @@
 #include <unistd.h>
 
 #ifdef LIBZODIUM
-#    include "zodium.h"
+#    include "libzodium/sodium.h"
 #else
 #    include <sodium.h>
 #endif