1MINISIGN(1)                                                        MINISIGN(1)
2
3
4

NAME

6       minisign - A dead simple tool to sign files and verify signatures.
7

SYNOPSIS

9       minisign -G [-p pubkey] [-s seckey]
10
11       minisign  -S  [-H]  [-x sigfile] [-s seckey] [-c untrusted_comment] [-t
12       trusted_comment] -m file [file ...]
13
14       minisign -V [-x sigfile] [-p pubkeyfile | -P pubkey] [-o] [-q] -m file
15
16       minisign -R -s seckey -p pubkeyfile
17

DESCRIPTION

19       Minisign is a dead simple tool to sign files and verify signatures.
20
21       It is  portable,  lightweight,  and  uses  the  highly  secure  Ed25519
22       http://ed25519.cr.yp.to/ public-key signature system.
23

OPTIONS

25       These options control the actions of minisign.
26
27       -G     Generate a new key pair
28
29       -S     Sign files
30
31       -V     Verify that a signature is valid for a given file
32
33       -m <file>
34              File to sign/verify
35
36       -o     Combined with -V, output the file content after verification
37
38       -H     Combined with -S, pre-hash in order to sign large files
39
40       -p <pubkeyfile>
41              Public key file (default: ./minisign.pub)
42
43       -P <pubkey>
44              Public key, as a base64 string
45
46       -s <seckey>
47              Secret key file (default: ~/.minisign/minisign.key)
48
49       -x <sigfile>
50              Signature file (default: <file>.minisig)
51
52       -c <comment>
53              Add a one-line untrusted comment
54
55       -t <comment>
56              Add a one-line trusted comment
57
58       -q     Quiet mode, suppress output
59
60       -Q     Pretty quiet mode, only print the trusted comment
61
62       -R     Recreate a public key file from a secret key file
63
64       -f     Force. Combined with -G, overwrite a previous key pair
65
66       -v     Display version number
67

EXAMPLES

69       Creating a key pair
70
71       minisign -G
72
73       The  public  key is printed and put into the minisign.pub file. The se‐
74       cret key is encrypted  and  saved  as  a  file  named  ~/.minisign/min‐
75       isign.key.
76
77       Signing files
78
79       $ minisign -Sm myfile.txt $ minisign -Sm myfile.txt myfile2.txt *.c
80
81       Or  to  include  a  comment in the signature, that will be verified and
82       displayed when verifying the file:
83
84       $ minisign -Sm myfile.txt -t ´This comment will be signed as well´
85
86       The secret  key  is  loaded  from  ${MINISIGN_CONFIG_DIR}/minisign.key,
87       ~/.minisign/minisign.key, or its path can be explicitly set with the -s
88       <path> command-line switch.
89
90       Verifying a file
91
92       $ minisign -Vm myfile.txt -P <pubkey>
93
94       or
95
96       $ minisign -Vm myfile.txt -p signature.pub
97
98       This requires the signature myfile.txt.minisig to  be  present  in  the
99       same directory.
100
101       The  public key can either reside in a file (./minisign.pub by default)
102       or be directly specified on the command line.
103

Notes

105       Trusted comments
106
107       Signature files include an untrusted comment line that  can  be  freely
108       modified, even after signature creation.
109
110       They  also include a second comment line, that cannot be modified with‐
111       out the secret key.
112
113       Trusted comments can be used to add  instructions  or  application-spe‐
114       cific  metadata  (intended file name, timestamps, resource identifiers,
115       version numbers to prevent downgrade attacks).
116
117       Compatibility with OpenBSD signify
118
119       Signatures written by minisign can be verified using OpenBSD´s  signify
120       tool: public key files and signature files are compatible.
121
122       However,  minisign  uses  a  slightly  different format to store secret
123       keys.
124
125       Minisign signatures include trusted comments in addition  to  untrusted
126       comments. Trusted comments are signed, thus verified, before being dis‐
127       played.
128
129       This adds two lines to the signature files, that signify  silently  ig‐
130       nores.
131
132       Pre-hashing
133
134       By default, signing and verification require as much memory as the size
135       of the file.
136
137       Since Minisign 0.6, huge files can be signed and verified with very low
138       memory requirements, by pre-hashing the content.
139
140       The  -H  command-line  switch,  in  combination  with  -S,  generates a
141       pre-hashed signature (HashEdDSA):
142
143       $ minisign -SHm myfile.txt
144
145       Verification of such a signature doesn´t require any  specific  switch:
146       the appropriate algorithm will automatically be detected.
147
148       Signatures generated that way are not compatible with OpenBSD´s signify
149       tool and are not compatible with Minisign versions prior to 0.6.
150

AUTHOR

152       Frank Denis (github [at] pureftpd [dot] org)
153
154
155
156                                   June 2020                       MINISIGN(1)
Impressum