1MINISIGN(1) MINISIGN(1)
2
6 minisign - A dead simple tool to sign files and verify signatures.
7
9 minisign -G [-p pubkey] [-s seckey] minisign -S [-H] [-x sigfile] [-s
10 seckey] [-c untrusted_comment] [-t trusted_comment] -m <file> minisign
11 -V [-x sigfile] [-p pubkeyfile | -P pubkey] [-o] [-q] -m file
12
14 Minisign is a dead simple tool to sign files and verify signatures.
15 It is portable, lightweight, and uses the highly secure Ed25519
17 http://ed25519.cr.yp.to/ public-key signature system.
18
20 These options control the actions of minisign.
21 -G Generate a new key pair
23 -S Sign a file
25 -V Verify that a signature is valid for a given file
27 -m <file>
29 File to sign/verify
30 -o Combined with -V, output the file content after verification
32 -H Combined with -S, pre-hash in order to sign large files
34 -p <pubkeyfile>
36 Public key file (default: ./minisign.pub)
37 -P <pubkey>
39 Public key, as a base64 string
40 -s <seckey>
42 Secret key file (default: ~/.minisign/minisign.key)
43 -x <sigfile>
45 Signature file (default: <file>.minisig)
46 -c <comment>
48 Add a one-line untrusted comment
49 -t <comment>
51 Add a one-line trusted comment
52 -q Quiet mode, suppress output
54 -Q Pretty quiet mode, only print the trusted comment
56 -f Force. Combined with -G, overwrite a previous key pair
58 -v Display version number
60
62 Creating a key pair
63 minisign -G
65 The public key is printed and put into the minisign.pub file. The
67 secret key is encrypted and saved as a file named ~/.minisign/min‐
68 isign.key.
69 Signing a file
71 $ minisign -Sm myfile.txt
73 Or to include a comment in the signature, that will be verified and
75 displayed when verifying the file:
76 $ minisign -Sm myfile.txt -t ´This comment will be signed as well´
78 The secret key is loaded from ${MINISIGN_CONFIG_DIR}/minisign.key,
80 ~/.minisign/minisign.key, or its path can be explicitly set with the -s
81 <path> command-line switch.
82 Verifying a file
84 $ minisign -Vm myfile.txt -p <pubkey>
86 or
88 $ minisign -Vm myfile.txt -p signature.pub
90 This requires the signature myfile.txt.minisig to be present in the
92 same directory.
93 The public key can either reside in a file (./minisign.pub by default)
95 or be directly specified on the command line.
96
98 Trusted comments
99 Signature files include an untrusted comment line that can be freely
101 modified, even after signature creation.
102 They also include a second comment line, that cannot be modified with‐
104 out the secret key.
105 Trusted comments can be used to add instructions or application-spe‐
107 cific metadata (intended file name, timestamps, resource identifiers,
108 version numbers to prevent downgrade attacks).
109 Compatibility with OpenBSD signify
111 Signatures written by minisign can be verified using OpenBSD´s signify
113 tool: public key files and signature files are compatible.
114 However, minisign uses a slightly different format to store secret
116 keys.
117 Minisign signatures include trusted comments in addition to untrusted
119 comments. Trusted comments are signed, thus verified, before being dis‐
120 played.
121 This adds two lines to the signature files, that signify silently
123 ignores.
124 Pre-hashing
126 By default, signing and verification require as much memory as the size
128 of the file.
129 Since Minisign 0.6, huge files can be signed and verified with very low
131 memory requirements, by pre-hashing the content.
132 The -H command-line switch, in combination with -S, generates a
134 pre-hashed signature (HashEdDSA):
135 $ minisign -SHm myfile.txt
137 Verification of such a signature doesn´t require any specific switch:
139 the appropriate algorithm will automatically be detected.
140 Signatures generated that way are not compatible with OpenBSD´s signify
142 tool and are not compatible with Minisign versions prior to 0.6.
143
145 Frank Denis (github [at] pureftpd [dot] org)
146 August 2016 MINISIGN(1)