Minisign logo

Minisign Frank Denis

crypto cryptography ed25519 gpg pgp signatures
Use this command to install Minisign:
winget install --id=jedisct1.minisign -e

Minisign is a dead simple tool to sign files and verify signatures. It is portable, lightweight, and uses the highly secure Ed25519 public-key signature system.

README

Minisign

CodeQL scan Release

A dead simple tool to sign files and verify signatures.

Table of Contents

Overview

Minisign is a tool to sign files and verify signatures. It's designed to be:

  • Simple to use
  • Secure (based on modern cryptography)
  • Minimal (focused on doing one thing well)
  • Cross-platform

Minisign uses the Ed25519 public-key signature system with small and fast signatures.

Documentation

For comprehensive documentation, please refer to the Minisign documentation website or the included man page.

Installation

Pre-built Packages

Minisign is available in various package managers:

PlatformCommand
macOS (Homebrew)brew install minisign
Windows (Scoop)scoop install minisign
Windows (Chocolatey)choco install minisign

Building with Zig

Dependencies:

Compilation options:

  1. With libsodium, dynamically linked:
zig build -Doptimize=ReleaseSmall
  1. With libsodium, statically linked:
zig build -Doptimize=ReleaseSmall -Dstatic
  1. Without libsodium (no dependencies required):
zig build -Doptimize=ReleaseSmall -Dwithout-libsodium

The resulting binary can be found in zig-out/bin/minisign.

For faster execution at the cost of larger binary size, you can replace ReleaseSmall with ReleaseFast in any of the above commands.

Building with cmake and gcc or clang

Dependencies:

  • libsodium (required)
  • cmake
  • pkg-config
  • gcc or clang

Compilation:

mkdir build
cd build
cmake ..
make
make install  # with appropriate permissions

Alternative configuration for static binaries:

cmake -D STATIC_LIBSODIUM=1 ..

or:

cmake -D BUILD_STATIC_EXECUTABLES=1 ..

Usage

Generating a Key Pair

minisign -G

This creates:

  • A public key (minisign.pub by default)
  • A password-protected secret key (minisign.key by default)

Signing Files

minisign -S -m file.txt

This creates a signature file named file.txt.minisig.

To add a trusted comment that will be verified:

minisign -S -m file.txt -t "Trusted comment here"

Verifying Signatures

minisign -Vm file.txt -p minisign.pub

or with a public key directly:

minisign -Vm file.txt -P RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3

Verification of Official Releases

Tarballs and pre-compiled binaries from the project can be verified with the following public key:

RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3

Docker

Minisign is available as a Docker image:

docker run -i --rm jedisct1/minisign

Example of verifying a signature using the Docker image:

docker run -v .:/minisign -e HOME=/minisign -w /minisign \
  -it --rm jedisct1/minisign \
  -Vm file_to_verify -p minisign.pub

The image can be verified with the following cosign public key:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExjZWrlc6c58W7ZzmQnx6mugty99C
OQTDtJeciX9LF9hEbs1J1fzZHRdRhV4OTqcq0jTW9PXnrSSZlk1fbkE/5w==
-----END PUBLIC KEY-----

Compatibility with Signify

Minisign is compatible with signify, the OpenBSD signing tool. Signatures created with signify can be verified with minisign, and vice versa.

Signature Determinism

This implementation uses deterministic signatures, unless libsodium was compiled with the ED25519_NONDETERMINISTIC macro defined. This adds random noise to the computation of EdDSA nonces.

Other implementations can choose to use non-deterministic signatures by default. They will remain fully interoperable with implementations using deterministic signatures.

Additional Tools, Libraries and Implementations

Versions
0.12
0.11
Website
github.com
License