minisign
Sign and verify files with Ed25519 keys
TLDR
Generate a new keypair at the default location
Sign a file
Sign a file, adding a trusted (signed) and an untrusted (unsigned) comment in the signature
Verify a file and the trusted comments in its signature using the specified public key file
Verify a file and the trusted comments in its signature, specifying a public key as a Base64 encoded literal
SYNOPSIS
minisign -G [-s secret key] [-p] [-n]
minisign -S [-s secret key] [-m message file] [-c comment] [-t timestamp] [-x]
minisign -V [-P public key] [-m message file] [-s signature file] [-x]
PARAMETERS
-G
Generates a new keypair (public and secret key).
-S
Signs a file.
-V
Verifies a signature.
-s secret key
Specifies the secret key file. Defaults to ~/.minisign/minisign.key
-P public key
Specifies the public key file. Defaults to ~/.minisign/minisign.pub
-m message file
Specifies the file to sign or verify. If omitted, read from standard input.
-x
Embed the signature in the message file, creating a .minisig file.
-c comment
Adds a comment to the signature.
-t timestamp
Adds a timestamp to the signature.
-n
Do not ask confirmation for overwriting the keyfile when generating a new keypair.
-p
Prints the public key when generating a new keypair.
DESCRIPTION
minisign is a lightweight command-line tool for signing files and verifying signatures. It is designed to be easy to use and secure, providing a modern alternative to older signing tools like GPG.
minisign uses Ed25519 keys for signing, which offer excellent performance and security. It emphasizes simplicity by using a single type of signature and a streamlined workflow.
It allows you to create signatures that others can verify to ensure the integrity and authenticity of your files. Verification is done by using public key, and can be made even more secure by using a trusted comment in the signature or a global trusted comment against replay attacks.
minisign is often used in software distribution, package management, and other scenarios where it's important to ensure that files haven't been tampered with.
CAVEATS
The security of minisign depends on the secrecy of your private key. Keep it safe and protected. Always verify the key fingerprint when receiving a public key from someone else.
KEY GENERATION
When generating keys, minisign creates both a public and a secret key. The public key is used for verification, while the secret key is used for signing. The keys are typically stored in the ~/.minisign/ directory.
TRUSTED COMMENTS
Trusted comments are a security feature that can be embedded in the signature. When verifying, minisign checks that the trusted comment matches the expected value, providing an additional layer of security against replay attacks.
RETURN CODES
minisign returns 0 on success, and a non-zero value on failure. When verifying a file, a non-zero return is returned also when the file is successfully verified but the file is not from a trusted source.
HISTORY
minisign was developed as a simpler, more secure alternative to traditional signing tools. It gained popularity for its ease of use and strong cryptographic properties. The development focused on providing a modern, reliable, and user-friendly signing solution. Initial releases focused on core signing and verification functionality, with later versions adding features like trusted comments.
SEE ALSO
gpg(1), signify(1)