minisign

Generate a new keypair at the default location

$ minisign -G

$ minisign -Sm [path/to/file]

$ minisign -Sm [path/to/file] -c "[Untrusted comment]" -t "[Trusted comment]"

$ minisign -Vm [path/to/file] -p [path/to/publickey.pub]

$ minisign -Vm [path/to/file] -P "[public_key_base64]"

minisign -G [-p password_file] [-s seed_file] [-x]
minisign -S -s secret_key_file [-p password_file] [-l] -m file_to_sign
minisign -V {-P public_key_file | -p public_key_id} -m file_to_verify [-x]
minisign -W

-G
    Generate a new minisign key pair (public and secret keys).

-S
    Sign the specified input file file_to_sign.

-V
    Verify the signature of the specified input file file_to_verify.

-P public_key_file
    Specify the public key file to use for verification. This option is mutually exclusive with -p public_key_id.

-p password_file
    Provide the password for the secret key from a file, or for public key lookup using a public key ID.

-p public_key_id
    Specify a public key ID for verification. minisign will look for the corresponding public key in its key directory (e.g., /etc/minisign/minisign.pub). This option is mutually exclusive with -P public_key_file.

-s secret_key_file
    Specify the path to the secret (private) key file required for signing operations.

-m file
    Specify the file to be signed or verified.

-l
    (Sign only) Create a detached signature file (e.g., filename.minisig) instead of appending it to the original file.

-x
    Allow external prehashes for verification. This option is typically used for compatibility with signatures created by other tools or when minisign does not directly support the hash function used.

-W
    Generate a random password, suitable for use when generating a new key pair.

minisign is a simple, lightweight, and secure command-line tool for cryptographically signing files and verifying their integrity. It uses a public-key cryptography system, relying on a private key to generate a digital signature for a file, and a corresponding public key to verify that signature. This process ensures both the authenticity of the file's origin and that its contents have not been altered since it was signed. Designed with a focus on simplicity, robustness, and a minimal attack surface, minisign is often preferred for tasks such as secure software distribution, package integrity checks, and ensuring the trustworthiness of data exchanged over untrusted channels, offering a more streamlined alternative to more complex tools like GnuPG for specific use cases. It typically generates a .minisig file containing the signature.

minisign's security relies heavily on the secrecy of the private key and the authenticated distribution of public keys.
While designed for simplicity, it's not a general-purpose encryption tool like GnuPG.
It primarily focuses on file integrity and authenticity, not confidentiality.
The minisign.pub directory for public key lookup is system-wide and requires careful management to prevent spoofing.

The public key (minisign.pub) needs to be securely distributed to those who will verify signatures. For automated systems, public keys are often placed in a designated system-wide directory, typically /etc/minisign/minisign.pub, where minisign can automatically look them up by ID. For general users, providing the public key file via -P is a common practice.

When signing a file without the -l (detached) option, minisign appends the signature directly to the original file. With -l, it creates a separate file named original_filename.minisig. This signature file contains the public key identifier, a timestamp, and the actual cryptographic signature.

minisign was developed by Frank Denis as a lightweight, secure, and auditable tool for digital signatures. Its design emphasizes simplicity and a minimal codebase, aiming to avoid the complexity and potential attack surface associated with larger cryptographic suites like GnuPG, particularly for tasks focused purely on software distribution and integrity verification.

gpg(1), signify(1), sha256sum(1), md5sum(1)