1MINISIGN(1) MINISIGN(1)
2
6 minisign - A dead simple tool to sign files and verify signatures.
7
9 minisign -G [-p pubkey] [-s seckey]
10 minisign -S [-H] [-x sigfile] [-s seckey] [-c untrusted_comment] [-t
12 trusted_comment] -m file [file ...]
13 minisign -V [-x sigfile] [-p pubkeyfile | -P pubkey] [-o] [-q] -m file
15 minisign -R -s seckey -p pubkeyfile
17
19 Minisign is a dead simple tool to sign files and verify signatures.
20 It is portable, lightweight, and uses the highly secure Ed25519
22 http://ed25519.cr.yp.to/ public-key signature system.
23
25 These options control the actions of minisign.
26 -G Generate a new key pair
28 -S Sign files
30 -V Verify that a signature is valid for a given file
32 -m <file>
34 File to sign/verify
35 -o Combined with -V, output the file content after verification
37 -H Combined with -S, pre-hash in order to sign large files
39 -p <pubkeyfile>
41 Public key file (default: ./minisign.pub)
42 -P <pubkey>
44 Public key, as a base64 string
45 -s <seckey>
47 Secret key file (default: ~/.minisign/minisign.key)
48 -x <sigfile>
50 Signature file (default: <file>.minisig)
51 -c <comment>
53 Add a one-line untrusted comment
54 -t <comment>
56 Add a one-line trusted comment
57 -q Quiet mode, suppress output
59 -Q Pretty quiet mode, only print the trusted comment
61 -R Recreate a public key file from a secret key file
63 -f Force. Combined with -G, overwrite a previous key pair
65 -v Display version number
67
69 Creating a key pair
70 minisign -G
72 The public key is printed and put into the minisign.pub file. The se‐
74 cret key is encrypted and saved as a file named ~/.minisign/min‐
75 isign.key.
76 Signing files
78 $ minisign -Sm myfile.txt $ minisign -Sm myfile.txt myfile2.txt *.c
80 Or to include a comment in the signature, that will be verified and
82 displayed when verifying the file:
83 $ minisign -Sm myfile.txt -t ´This comment will be signed as well´
85 The secret key is loaded from ${MINISIGN_CONFIG_DIR}/minisign.key,
87 ~/.minisign/minisign.key, or its path can be explicitly set with the -s
88 <path> command-line switch.
89 Verifying a file
91 $ minisign -Vm myfile.txt -P <pubkey>
93 or
95 $ minisign -Vm myfile.txt -p signature.pub
97 This requires the signature myfile.txt.minisig to be present in the
99 same directory.
100 The public key can either reside in a file (./minisign.pub by default)
102 or be directly specified on the command line.
103
105 Trusted comments
106 Signature files include an untrusted comment line that can be freely
108 modified, even after signature creation.
109 They also include a second comment line, that cannot be modified with‐
111 out the secret key.
112 Trusted comments can be used to add instructions or application-spe‐
114 cific metadata (intended file name, timestamps, resource identifiers,
115 version numbers to prevent downgrade attacks).
116 Compatibility with OpenBSD signify
118 Signatures written by minisign can be verified using OpenBSD´s signify
120 tool: public key files and signature files are compatible.
121 However, minisign uses a slightly different format to store secret
123 keys.
124 Minisign signatures include trusted comments in addition to untrusted
126 comments. Trusted comments are signed, thus verified, before being dis‐
127 played.
128 This adds two lines to the signature files, that signify silently ig‐
130 nores.
131 Pre-hashing
133 By default, signing and verification require as much memory as the size
135 of the file.
136 Since Minisign 0.6, huge files can be signed and verified with very low
138 memory requirements, by pre-hashing the content.
139 The -H command-line switch, in combination with -S, generates a
141 pre-hashed signature (HashEdDSA):
142 $ minisign -SHm myfile.txt
144 Verification of such a signature doesn´t require any specific switch:
146 the appropriate algorithm will automatically be detected.
147 Signatures generated that way are not compatible with OpenBSD´s signify
149 tool and are not compatible with Minisign versions prior to 0.6.
150
152 Frank Denis (github [at] pureftpd [dot] org)
153 June 2020 MINISIGN(1)