.\" generated with Ronn/v0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3 . .TH "MINISIGN" "1" "May 2020" "" "" . .SH "NAME" \fBminisign\fR \- A dead simple tool to sign files and verify signatures\. . .SH "SYNOPSIS" \fBminisign\fR \-G [\-p pubkey] [\-s seckey] . .P \fBminisign\fR \-S [\-H] [\-x sigfile] [\-s seckey] [\-c untrusted_comment] [\-t trusted_comment] \-m file [file \.\.\.] . .P \fBminisign\fR \-V [\-x sigfile] [\-p pubkeyfile | \-P pubkey] [\-o] [\-q] \-m file . .P \fBminisign\fR \-R \-s seckey \-p pubkeyfile . .SH "DESCRIPTION" \fBMinisign\fR is a dead simple tool to sign files and verify signatures\. . .P It is portable, lightweight, and uses the highly secure Ed25519 \fIhttp://ed25519\.cr\.yp\.to/\fR public\-key signature system\. . .SH "OPTIONS" These options control the actions of \fBminisign\fR\. . .TP \fB\-G\fR Generate a new key pair . .TP \fB\-S\fR Sign files . .TP \fB\-V\fR Verify that a signature is valid for a given file . .TP \fB\-m \fR File to sign/verify . .TP \fB\-o\fR Combined with \-V, output the file content after verification . .TP \fB\-H\fR Combined with \-S, pre\-hash in order to sign large files . .TP \fB\-p \fR Public key file (default: \./minisign\.pub) . .TP \fB\-P \fR Public key, as a base64 string . .TP \fB\-s \fR Secret key file (default: ~/\.minisign/minisign\.key) . .TP \fB\-x \fR Signature file (default: \.minisig) . .TP \fB\-c \fR Add a one\-line untrusted comment . .TP \fB\-t \fR Add a one\-line trusted comment . .TP \fB\-q\fR Quiet mode, suppress output . .TP \fB\-Q\fR Pretty quiet mode, only print the trusted comment . .TP \fB\-R\fR Recreate a public key file from a secret key file . .TP \fB\-f\fR Force\. Combined with \-G, overwrite a previous key pair . .TP \fB\-v\fR Display version number . .SH "EXAMPLES" Creating a key pair . .P \fBminisign\fR \-G . .P The public key is printed and put into the \fBminisign\.pub\fR file\. The secret key is encrypted and saved as a file named \fB~/\.minisign/minisign\.key\fR\. . .P Signing files . .P $ \fBminisign\fR \-Sm myfile\.txt $ \fBminisign\fR \-Sm myfile\.txt myfile2\.txt *\.c . .P Or to include a comment in the signature, that will be verified and displayed when verifying the file: . .P $ \fBminisign\fR \-Sm myfile\.txt \-t \'This comment will be signed as well\' . .P The secret key is loaded from \fB${MINISIGN_CONFIG_DIR}/minisign\.key\fR, \fB~/\.minisign/minisign\.key\fR, or its path can be explicitly set with the \fB\-s \fR command\-line switch\. . .P Verifying a file . .P $ \fBminisign\fR \-Vm myfile\.txt \-p . .P or . .P $ \fBminisign\fR \-Vm myfile\.txt \-p signature\.pub . .P This requires the signature \fBmyfile\.txt\.minisig\fR to be present in the same directory\. . .P The public key can either reside in a file (\fB\./minisign\.pub\fR by default) or be directly specified on the command line\. . .SH "Notes" \fBTrusted comments\fR . .P Signature files include an untrusted comment line that can be freely modified, even after signature creation\. . .P They also include a second comment line, that cannot be modified without the secret key\. . .P Trusted comments can be used to add instructions or application\-specific metadata (intended file name, timestamps, resource identifiers, version numbers to prevent downgrade attacks)\. . .P \fBCompatibility with OpenBSD signify\fR . .P Signatures written by \fBminisign\fR can be verified using OpenBSD\'s \fBsignify\fR tool: public key files and signature files are compatible\. . .P However, \fBminisign\fR uses a slightly different format to store secret keys\. . .P \fBMinisign\fR signatures include trusted comments in addition to untrusted comments\. Trusted comments are signed, thus verified, before being displayed\. . .P This adds two lines to the signature files, that signify silently ignores\. . .P \fBPre\-hashing\fR . .P By default, signing and verification require as much memory as the size of the file\. . .P Since \fBMinisign 0\.6\fR, huge files can be signed and verified with very low memory requirements, by pre\-hashing the content\. . .P The \-H command\-line switch, in combination with \-S, generates a pre\-hashed signature (HashEdDSA): . .P $ \fBminisign\fR \-SHm myfile\.txt . .P Verification of such a signature doesn\'t require any specific switch: the appropriate algorithm will automatically be detected\. . .P Signatures generated that way are not compatible with OpenBSD\'s \fBsignify\fR tool and are not compatible with \fBMinisign\fR versions prior to 0\.6\. . .SH "AUTHOR" Frank Denis (github [at] pureftpd [dot] org)