Manual Page Search Parameters

MINISIGN(1) MINISIGN(1)

minisign - A dead simple tool to sign files and verify signatures.

minisign -G [-p pubkey_file] [-s seckey_file] [-W]

minisign -R [-s seckey_file] [-p pubkey_file]

minisign -C [-s seckey_file] [-W]

minisign -S [-H] [-x sig_file] [-s seckey_file] [-c untrusted_comment] [-t trusted_comment] -m file [file ...]

minisign -V [-x sig_file] [-p pubkey_file | -P pubkey] [-o] [-q] -m file

Minisign is a dead simple tool to sign files and verify signatures.

It is portable, lightweight, and uses the highly secure Ed25519 http://ed25519.cr.yp.to/ public-key signature system.

These options control the actions of minisign.

Generate a new key pair
Change/remove the password of a secret key
Recreate a public key file from a secret key file
Sign files
Verify that a signature is valid for a given file
Requires the input to be prehashed
Sign using the legacy format
File to sign/verify
Combined with -V, output the file content after verification
Public key file (default: ./minisign.pub)
Public key, as a base64 string
Secret key file (default: ~/.minisign/minisign.key)
Do not encrypt/decrypt the secret key with a password
Signature file (default: <file>.minisig)
Add a one-line untrusted comment
Add a one-line trusted comment
Quiet mode, suppress output
Pretty quiet mode, only print the trusted comment
Force. Combined with -G, overwrite a previous key pair
Display version number

Creating a key pair

minisign -G

The public key is printed and put into the minisign.pub file. The secret key is encrypted and saved as a file named ~/.minisign/minisign.key.

Signing files

$ minisign -Sm myfile.txt $ minisign -Sm myfile.txt myfile2.txt *.c

Or to include a comment in the signature, that will be verified and displayed when verifying the file:

$ minisign -Sm myfile.txt -t ´This comment will be signed as well´

The secret key is loaded from ${MINISIGN_CONFIG_DIR}/minisign.key, ~/.minisign/minisign.key, or its path can be explicitly set with the -s <path> command-line switch.

Verifying a file

$ minisign -Vm myfile.txt -P <pubkey>

or

$ minisign -Vm myfile.txt -p signature.pub

This requires the signature myfile.txt.minisig to be present in the same directory.

The public key can either reside in a file (./minisign.pub by default) or be directly specified on the command line.

Signature files include an untrusted comment line that can be freely modified, even after signature creation.

They also include a second comment line, that cannot be modified without the secret key.

Trusted comments can be used to add instructions or application-specific metadata (intended file name, timestamps, resource identifiers, version numbers to prevent downgrade attacks).

Frank Denis (github [at] pureftpd [dot] org)

January 2023