aead / minisign Goto Github PK

View Code? Open in Web Editor NEW

108.0 7.0 15.0 58 KB

A dead simple tool to sign files and verify digital signatures.

Home Page: https://jedisct1.github.io/minisign/

License: MIT License

Go 97.61% Makefile 2.39%

cryptography signature golang pgp ed25519

minisign's Introduction

minisign

minisign is a dead simple tool to sign files and verify signatures.

$ minisign -G                                                                                  
Please enter a password to protect the secret key.

Enter Password: 
Enter Password (one more time): 
Deriving a key from the password in order to encrypt the secret key... done

The secret key was saved as ~/.minisign/minisign.key - Keep it secret!
The public key was saved as minisign.pub - That one can be public.

Files signed using this key pair can be verified with the following command:

minisign -Vm <file> -P RWSYKA736yqh+JrZ7cRDdWgck/WKtwW9ATBFmk8pQ1lHeUKXtV6uJ7Fu

$ minisign -Sm message.txt
Enter password: 
Deriving a key from the password in order to decrypt the secret key... done

$ minisign -Vm message.txt
Signature and comment signature verified
Trusted comment: timestamp:1614718943	filename:message.txt

This is a Go implementation of the original C implementation by Frank Denis.

Usage

Usage:
    minisign -G [-p <pubKey>] [-s <secKey>] [-W]
    minisign -R [-s <secKey>] [-p <pubKey>]
    minisign -C [-s <secKey>] [-W]
    minisign -S [-x <signature>] [-s <secKey>] [-c <comment>] [-t <comment>] -m <file>...
    minisign -V [-H] [-x <signature>] [-p <pubKey> | -P <pubKey>] [-o] [-q | -Q ] -m <file>

Options:
    -G               Generate a new public/secret key pair.
    -R               Re-create a public key file from a secret key.
    -C               Change or remove the password of the secret key.
    -S               Sign files with a secret key.
    -V               Verify files with a public key.
    -m <file>        The file to sign or verify.
    -o               Combined with -V, output the file after verification.
    -H               Combined with -V, require a signature over a pre-hashed file.
    -p <pubKey>      Public key file (default: ./minisign.pub)
    -P <pubKey>      Public key as base64 string
    -s <secKey>      Secret key file (default: $HOME/.minisign/minisign.key)
    -W               Do not encrypt/decrypt the secret key with a password.
    -x <signature>   Signature file (default: <file>.minisig)
    -c <comment>     Add a one-line untrusted comment.
    -t <comment>     Add a one-line trusted comment.
    -q               Quiet mode. Suppress output.
    -Q               Pretty quiet mode. Combined with -V, only print the trusted comment.
    -f               Combined with -G or -R, overwrite any existing public/secret key pair.
    -v               Print version information.

Installation

With an up-to-date Go toolchain:

go install aead.dev/minisign/cmd/minisign@latest

On windows, linux and macOS, you can also use the pre-built binaries:

OS	ARCH	Latest Release
Linux	amd64	minisign-linux-amd64.tar.gz
Linux	arm64	minisign-linux-arm64.tar.gz
MacOS	arm64	minisign-darwin-arm64.tar.gz
Windows	amd64	minisign-windows-amd64.zip

From source:

Clone the repository

git clone https://aead.dev/minisign && cd minisign

Build the binary
```
make build
```

Library

import "aead.dev/minisign"

The following example generates a minisign public/private key pair, signs a message and verifies the message signature.

package main

import (
	"crypto/rand"
	"log"

	"aead.dev/minisign"
)

func main() {
	var message = []byte("Hello World!")

	publicKey, privateKey, err := minisign.GenerateKey(rand.Reader)
	if err != nil {
		log.Fatalln(err)
	}

	signature := minisign.Sign(privateKey, message)
	
	if !minisign.Verify(publicKey, message, signature) {
		log.Fatalln("signature verification failed")
	}
	log.Println(string(message))
}

For more examples visit the package documentation.

minisign's People

Contributors

Stargazers

Watchers

Forkers

sujit-baniya ahmadissa cloudwizard ropnop vsajip moloch-- straysh charles-dyfis-net sevenrats aodhan-domhnaill chennqqi renowncoder endrainc

minisign's Issues

Can you update the package name of go.mod

go: aead.dev/[email protected]: unrecognized import path "aead.dev/minisign": reading https://aead.dev/minisign?go-get=1: 404 Not Found

minio/selfupdate#12

Something familiar

https://github.com/AZ-X/WPF-GO-dnscrypt-proxy-md/blob/25af8f06346ca3ee677ba00a430d57d125714e44/stammel/stammel/minisign.go#L106-L165

💭

It would be great to be able to read the password from STDIN, both for the initial key generation, and for signature creation. It appears the original supports this (from jedisct1/minisign#43), while this implementation currently errors with Error: failed to read password: inappropriate ioctl for device.

Import error

Hello,

I am unable to import your library.

The following output will make you understand the situation:

../../go/pkg/mod/github.com/minio/[email protected]/minisign.go:8:2: unrecognized import path "aead.dev/minisign": reading https://aead.dev/minisign?go-get=1: 404 Not Found

Windows Stdin Broken

Reading passwords from stdin on Windows does not work, key derivation always fails.

C-minikey passwordless keys (-W) are not usable

The C implementation of minisign can create, and use, passwordless keys. For compatability, this project should also be able to read and use passwordless keys. In particular, to use all minisign keys, it should support the -W option:

5027» minisign -v
minisign 0.11
5028» minisign -h | grep -- -W
minisign -G [-f] [-p pubkey_file] [-s seckey_file] [-W]
minisign -C [-s seckey_file] [-W]
-W                do not encrypt/decrypt the secret key with a password

eg:

5029» minisign -v
5030» minisign -S -m LICENSE -s ~/.minisign/minisign.key
5031» file LICENSE.minisig
LICENSE.minisig: ASCII text

Go-minisign's key reading algorithm can not understand passwordless keys:

5033» go run ./cmd/minisign -v
minisign v0.0.0-dev on linux-amd64
5034» go run ./cmd/minisign -S -m LICENSE -s ~/.minisign/minisign.key
Enter password:
Deriving a key from the password in order to decrypt the secret key...
Error: invalid password: minisign: decryption failed
exit status 1

stdout should only be used for verified output

stdout should be reserved for only trusted content (and not prompts, errors, logs, informational or status messages, etc) such that -Q and -o can be used without worrying about corner cases, or needing to parse out explanatory/informational/diagnostic text added by the minisign tool itself. Doing this consistently also makes it safe to redirect stdout to a file or other programmatic destination without worrying about hiding information intended for human operators, or about future changes to the software (such as internationalization) breaking tools that try to remove informational messages from stdout or otherwise distinguish between diagnostic content and actual data.

POSIX specifies that stderr is the correct location for "diagnostic" data, and general agreement among UNIX developers is that prompts are diagnostic in nature (as they specify to the human operator when a system is ready for input, thus providing information on the system's state during operation). Notice how standard UNIX shells prompt on stderr; this is also appropriate insofar as stderr is line-buffered by default, whereas stdout is fully buffered by default (when not directed to a TTY).