LinuxCommandLibrary

minisign

Sign and verify files with Ed25519 keys

TLDR

Generate a new keypair at the default location

$ minisign -G
copy

Sign a file
$ minisign -Sm [path/to/file]
copy

Sign a file, adding a trusted (signed) and an untrusted (unsigned) comment in the signature
$ minisign -Sm [path/to/file] -c "[Untrusted comment]" -t "[Trusted comment]"
copy

Verify a file and the trusted comments in its signature using the specified public key file
$ minisign -Vm [path/to/file] -p [path/to/publickey.pub]
copy

Verify a file and the trusted comments in its signature, specifying a public key as a Base64 encoded literal
$ minisign -Vm [path/to/file] -P "[public_key_base64]"
copy

SYNOPSIS

minisign -G [-s secret key] [-p] [-n]
minisign -S [-s secret key] [-m message file] [-c comment] [-t timestamp] [-x]
minisign -V [-P public key] [-m message file] [-s signature file] [-x]

PARAMETERS

-G
    Generates a new keypair (public and secret key).

-S
    Signs a file.

-V
    Verifies a signature.

-s secret key
    Specifies the secret key file. Defaults to ~/.minisign/minisign.key

-P public key
    Specifies the public key file. Defaults to ~/.minisign/minisign.pub

-m message file
    Specifies the file to sign or verify. If omitted, read from standard input.

-x
    Embed the signature in the message file, creating a .minisig file.

-c comment
    Adds a comment to the signature.

-t timestamp
    Adds a timestamp to the signature.

-n
    Do not ask confirmation for overwriting the keyfile when generating a new keypair.

-p
    Prints the public key when generating a new keypair.

DESCRIPTION

minisign is a lightweight command-line tool for signing files and verifying signatures. It is designed to be easy to use and secure, providing a modern alternative to older signing tools like GPG.
minisign uses Ed25519 keys for signing, which offer excellent performance and security. It emphasizes simplicity by using a single type of signature and a streamlined workflow.
It allows you to create signatures that others can verify to ensure the integrity and authenticity of your files. Verification is done by using public key, and can be made even more secure by using a trusted comment in the signature or a global trusted comment against replay attacks.
minisign is often used in software distribution, package management, and other scenarios where it's important to ensure that files haven't been tampered with.

CAVEATS

The security of minisign depends on the secrecy of your private key. Keep it safe and protected. Always verify the key fingerprint when receiving a public key from someone else.

KEY GENERATION

When generating keys, minisign creates both a public and a secret key. The public key is used for verification, while the secret key is used for signing. The keys are typically stored in the ~/.minisign/ directory.

TRUSTED COMMENTS

Trusted comments are a security feature that can be embedded in the signature. When verifying, minisign checks that the trusted comment matches the expected value, providing an additional layer of security against replay attacks.

RETURN CODES

minisign returns 0 on success, and a non-zero value on failure. When verifying a file, a non-zero return is returned also when the file is successfully verified but the file is not from a trusted source.

HISTORY

minisign was developed as a simpler, more secure alternative to traditional signing tools. It gained popularity for its ease of use and strong cryptographic properties. The development focused on providing a modern, reliable, and user-friendly signing solution. Initial releases focused on core signing and verification functionality, with later versions adding features like trusted comments.

SEE ALSO

gpg(1), signify(1)

Copied to clipboard