Minisign

Minisign is a dead simple tool to sign files and verify signatures.

It is portable, lightweight, and uses the highly secure Ed25519 public-key signature system.

Creating a key pair

$ minisign -G

The public key is printed and put into the minisign.pub file. The secret key is encrypted and saved as a file named ~/.minisign/minisign.key.

Signing a file

$ minisign -Sm myfile.txt

Or to include a comment in the signature, that will be verified and displayed when verifying the file:

$ minisign -Sm myfile.txt -t 'This comment will be signed as well'

The signature is put into myfile.txt.minisig.

Starting with version 0.8, multiple files can also be signed at once:

$ minisign -Sm file1.txt file2.txt *.jpg

Verifying a file

$ minisign -Vm myfile.txt -P RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3

or

$ minisign -Vm myfile.txt -p signature.pub

This requires the signature myfile.txt.minisig to be present in the same directory.

The public key can either reside in a file (./minisign.pub by default) or be directly specified on the command line.

Usage


Usage:
minisign -G [-f] [-p pubkey_file] [-s seckey_file] [-W]
minisign -R [-s seckey_file] [-p pubkey_file]
minisign -C [-s seckey_file] [-W]
minisign -S [-l] [-x sig_file] [-s seckey_file] [-c untrusted_comment] [-t trusted_comment] -m file [file ...]
minisign -V [-H] [-x sig_file] [-p pubkey_file | -P pubkey] [-o] [-q] -m file

-G generate a new key pair
-R recreate a public key file from a secret key file
-C change/remove the password of the secret key
-S sign files
-V verify that a signature is valid for a given file
-H require input to be prehashed
-l sign using the legacy format
-m <file> file to sign/verify
-o combined with -V, output the file content after verification
-p <pubkey_file> public key file (default: ./minisign.pub)
-P <pubkey> public key, as a base64 string
-s <seckey_file> secret key file (default: ~/.minisign/minisign.key)
-W do not encrypt/decrypt the secret key with a password
-x <sigfile> signature file (default: <file>.minisig)
-c <comment> add a one-line untrusted comment
-t <comment> add a one-line trusted comment
-q quiet mode, suppress output
-Q pretty quiet mode, only print the trusted comment
-f force. Combined with -G, overwrite a previous key pair
-v display version number

Trusted comments

Signature files include an untrusted comment line that can be freely modified, even after signature creation.

They also include a second comment line, that cannot be modified without the secret key.

Trusted comments can be used to add instructions or application-specific metadata (intended file name, timestamps, resource identifiers, version numbers to prevent downgrade attacks).

Compilation / installation

Using Zig

Dependencies:

Compilation:

$ zig build -Drelease-small

Using Cmake

Dependencies

Compilation:

$ mkdir build
$ cd build
$ cmake ..
$ make
# make install

Pre-hashing

By default, files are signed and verified with very low memory requirements, by pre-hashing the content.

Signatures that are not pre-hashed can be rejected with the -H switch. Support for these legacy signatures will eventually be removed.

Signature format

untrusted comment: <arbitrary text>
base64(<signature_algorithm> || <key_id> || <signature>)
trusted_comment: <arbitrary text>
base64(<global_signature>)

New implementations must use the hashed signature format; support for the legacy one is optional and should not be done by default.

Public key format

untrusted comment: <arbitrary text>
base64(<signature_algorithm> || <key_id> || <public_key>)

Secret key format

untrusted comment: <arbitrary text>
base64(<signature_algorithm> || <kdf_algorithm> || <cksum_algorithm> ||
       <kdf_salt> || <kdf_opslimit> || <kdf_memlimit> || <keynum_sk>)

Encryption

Looking for an equally simple tool for file and stream encryption? Check out Encpipe and Age.