minisign − A dead simple tool to sign files and verify signatures.
minisign −G [−p pubkey_file] [−s seckey_file] [−W]
minisign −R [−s seckey_file] [−p pubkey_file]
minisign −C [−s seckey_file] [−W]
minisign −S [−H] [−x sig_file] [−s seckey_file] [−c untrusted_comment] [−t trusted_comment] −m file [file ...]
minisign −V [−x sig_file] [−p pubkey_file | −P pubkey] [−o] [−q] −m file
Minisign is a dead simple tool to sign files and verify signatures.
It is portable, lightweight, and uses the highly secure Ed25519 http://ed25519.cr.yp.to/ public−key signature system.
These options control the actions of minisign.
−G |
Generate a new key pair |
|||
−C |
Change/remove the password of a secret key |
|||
−R |
Recreate a public key file from a secret key file |
|||
−S |
Sign files |
|||
−V |
Verify that a signature is valid for a given file |
|||
−H |
Requires the input to be prehashed |
|||
−l |
Sign using the legacy format |
−m <file>
File to sign/verify
−o |
Combined with −V, output the file content after verification |
−p <pubkey_file>
Public key file (default: ./minisign.pub)
−P <pubkey>
Public key, as a base64 string
−s <seckey_file>
Secret key file (default: ˜/.minisign/minisign.key)
−W |
Do not encrypt/decrypt the secret key with a password |
−x <sig_file>
Signature file (default: <file>.minisig)
−c <comment>
Add a one−line untrusted comment
−t <comment>
Add a one−line trusted comment
−q |
Quiet mode, suppress output |
|||
−Q |
Pretty quiet mode, only print the trusted comment |
|||
−f |
Force. Combined with −G, overwrite a previous key pair |
|||
−v |
Display version number |
Creating a key pair
minisign −G
The public key is printed and put into the minisign.pub file. The secret key is encrypted and saved as a file named ˜/.minisign/minisign.key.
Signing files
$ minisign −Sm myfile.txt $ minisign −Sm myfile.txt myfile2.txt *.c
Or to include a comment in the signature, that will be verified and displayed when verifying the file:
$ minisign −Sm myfile.txt −t ´This comment will be signed as well´
The secret key is loaded from ${MINISIGN_CONFIG_DIR}/minisign.key, ˜/.minisign/minisign.key, or its path can be explicitly set with the −s <path> command−line switch.
Verifying a file
$ minisign −Vm myfile.txt −P <pubkey>
or
$ minisign −Vm myfile.txt −p signature.pub
This requires the signature myfile.txt.minisig to be present in the same directory.
The public key can either reside in a file (./minisign.pub by default) or be directly specified on the command line.
Signature files include an untrusted comment line that can be freely modified, even after signature creation.
They also include a second comment line, that cannot be modified without the secret key.
Trusted comments can be used to add instructions or application−specific metadata (intended file name, timestamps, resource identifiers, version numbers to prevent downgrade attacks).
Frank Denis (github [at] pureftpd [dot] org)