1MINISIGN(1) MINISIGN(1)
2
3
4
6 minisign - A dead simple tool to sign files and verify signatures.
7
9 minisign -G [-p pubkey] [-s seckey] minisign -S [-H] [-x sigfile] [-s
10 seckey] [-c untrusted_comment] [-t trusted_comment] -m <file> minisign
11 -V [-x sigfile] [-p pubkeyfile | -P pubkey] [-o] [-q] -m file
12
14 Minisign is a dead simple tool to sign files and verify signatures.
15
16 It is portable, lightweight, and uses the highly secure Ed25519
17 http://ed25519.cr.yp.to/ public-key signature system.
18
20 These options control the actions of minisign.
21
22 -G Generate a new key pair
23
24 -S Sign a file
25
26 -V Verify that a signature is valid for a given file
27
28 -m <file>
29 File to sign/verify
30
31 -o Combined with -V, output the file content after verification
32
33 -H Combined with -S, pre-hash in order to sign large files
34
35 -p <pubkeyfile>
36 Public key file (default: ./minisign.pub)
37
38 -P <pubkey>
39 Public key, as a base64 string
40
41 -s <seckey>
42 Secret key file (default: ~/.minisign/minisign.key)
43
44 -x <sigfile>
45 Signature file (default: <file>.minisig)
46
47 -c <comment>
48 Add a one-line untrusted comment
49
50 -t <comment>
51 Add a one-line trusted comment
52
53 -q Quiet mode, suppress output
54
55 -Q Pretty quiet mode, only print the trusted comment
56
57 -f Force. Combined with -G, overwrite a previous key pair
58
59 -v Display version number
60
62 Creating a key pair
63
64 minisign -G
65
66 The public key is printed and put into the minisign.pub file. The
67 secret key is encrypted and saved as a file named ~/.minisign/min‐
68 isign.key.
69
70 Signing a file
71
72 $ minisign -Sm myfile.txt
73
74 Or to include a comment in the signature, that will be verified and
75 displayed when verifying the file:
76
77 $ minisign -Sm myfile.txt -t ´This comment will be signed as well´
78
79 The secret key is loaded from ${MINISIGN_CONFIG_DIR}/minisign.key,
80 ~/.minisign/minisign.key, or its path can be explicitly set with the -s
81 <path> command-line switch.
82
83 Verifying a file
84
85 $ minisign -Vm myfile.txt -p <pubkey>
86
87 or
88
89 $ minisign -Vm myfile.txt -p signature.pub
90
91 This requires the signature myfile.txt.minisig to be present in the
92 same directory.
93
94 The public key can either reside in a file (./minisign.pub by default)
95 or be directly specified on the command line.
96
98 Trusted comments
99
100 Signature files include an untrusted comment line that can be freely
101 modified, even after signature creation.
102
103 They also include a second comment line, that cannot be modified with‐
104 out the secret key.
105
106 Trusted comments can be used to add instructions or application-spe‐
107 cific metadata (intended file name, timestamps, resource identifiers,
108 version numbers to prevent downgrade attacks).
109
110 Compatibility with OpenBSD signify
111
112 Signatures written by minisign can be verified using OpenBSD´s signify
113 tool: public key files and signature files are compatible.
114
115 However, minisign uses a slightly different format to store secret
116 keys.
117
118 Minisign signatures include trusted comments in addition to untrusted
119 comments. Trusted comments are signed, thus verified, before being dis‐
120 played.
121
122 This adds two lines to the signature files, that signify silently
123 ignores.
124
125 Pre-hashing
126
127 By default, signing and verification require as much memory as the size
128 of the file.
129
130 Since Minisign 0.6, huge files can be signed and verified with very low
131 memory requirements, by pre-hashing the content.
132
133 The -H command-line switch, in combination with -S, generates a
134 pre-hashed signature (HashEdDSA):
135
136 $ minisign -SHm myfile.txt
137
138 Verification of such a signature doesn´t require any specific switch:
139 the appropriate algorithm will automatically be detected.
140
141 Signatures generated that way are not compatible with OpenBSD´s signify
142 tool and are not compatible with Minisign versions prior to 0.6.
143
145 Frank Denis (github [at] pureftpd [dot] org)
146
147
148
149 August 2016 MINISIGN(1)