| MINISIGN(1) | MINISIGN(1) |
minisign - A dead simple tool to sign files and verify signatures.
minisign -G [-p pubkey_file] [-s seckey_file] [-W]
minisign -R [-s seckey_file] [-p pubkey_file]
minisign -C [-s seckey_file] [-W]
minisign -S [-H] [-x sig_file] [-s seckey_file] [-c untrusted_comment] [-t trusted_comment] -m file [file ...]
minisign -V [-x sig_file] [-p pubkey_file | -P pubkey] [-o] [-q] -m file
Minisign is a dead simple tool to sign files and verify signatures.
It is portable, lightweight, and uses the highly secure Ed25519 http://ed25519.cr.yp.to/ public-key signature system.
These options control the actions of minisign.
Creating a key pair
minisign -G
The public key is printed and put into the minisign.pub file. The secret key is encrypted and saved as a file named ~/.minisign/minisign.key.
Signing files
$ minisign -Sm myfile.txt $ minisign -Sm myfile.txt myfile2.txt *.c
Or to include a comment in the signature, that will be verified and displayed when verifying the file:
$ minisign -Sm myfile.txt -t 'This comment will be signed as well'
The secret key is loaded from ${MINISIGN_CONFIG_DIR}/minisign.key, ~/.minisign/minisign.key, or its path can be explicitly set with the -s <path> command-line switch.
Verifying a file
$ minisign -Vm myfile.txt -P <pubkey>
or
$ minisign -Vm myfile.txt -p signature.pub
This requires the signature myfile.txt.minisig to be present in the same directory.
The public key can either reside in a file (./minisign.pub by default) or be directly specified on the command line.
Signature files include an untrusted comment line that can be freely modified, even after signature creation.
They also include a second comment line, that cannot be modified without the secret key.
Trusted comments can be used to add instructions or application-specific metadata (intended file name, timestamps, resource identifiers, version numbers to prevent downgrade attacks).
Frank Denis (github [at] pureftpd [dot] org)
| January 2023 |