Signify: Cryptographically Sign and Verify Files

From Kicksecure
Jump to navigation Jump to search

Signify1323.jpg

Introduction[edit]

Written in 2014 for OpenBSD, signify is a tool to cryptographically sign and verify files: [1]

It only supports a single algorithm, Ed25519, created by djb and his gang. It’s fast, immune to timing attacks by design, produce deterministic signatures, uses small keys and produce small signatures, … it does look like a sound choice.

Signify's main benefits is that it has a small codebase and is not based on GnuPG. On the downside, there is no revocation mechanism [2] and the trust path relies on getting the key directly from a trusted developer. [1]

Signify's usage is not just limited to OpenBSD and the tool has also been been packaged in Debian. [3] To learn more about signify, refer to this blog post by the original author.

Installation and Usage[edit]

Info In the steps below, installing package qrencode is optional and only needed if you intend to create QR codes.

1. Install signify.

Install signify-openbsd qrencode. To accomplish that, the following steps A. to D. need to be done.

A. Update the package lists.

sudo apt update

B. Upgrade the system.

sudo apt full-upgrade

C. Install the signify-openbsd qrencode package.

Using apt command line parameter --no-install-recommends is in most cases optional.

sudo apt install --no-install-recommends signify-openbsd qrencode

D. Done.

The procedure of installing signify-openbsd qrencode is complete.

2. Create a key.

This only needs to be done once unless multiple keys are desired; in that case different key names should be used. In the following example, keyname is used as the sample key name.

signify-openbsd -G -p keyname.pub -s keyname.sec

3. Optional: Add a key comment.

Replace comments here with the actual comment but keep the ". The comment could be a name, position, website, e-mail address and/or anything else.

signify-openbsd -G -p keyname.pub -s keyname.sec -c "comments here"

Note:

  • The private key file keyname.sec needs to stay private -- never share keyname.sec with anyone as this would defeat the purpose of signing files!
  • The public key file keyname.pub can be shared with anyone.

4. Utilize signify.

To sign a file message.txt (which has to be created by the user beforehand).

signify-openbsd -S -s keyname.sec -m message.txt

This will create a signature file message.txt.sig.

To verify a file message.txt with signature file message.txt.sig.

signify-openbsd -V -p keyname.pub -m message.txt

5. Optional: Create a QR code for the public key.

qrencode -r keyname.pub -o keyname.pub.png

File keyname.pub.png would be the QR code of the public key.

Refer to the Debian signify-openbsd Manual Page for further options.

[4]

See Also[edit]

Footnotes[edit]

  1. 1.0 1.1 https://isopenbsdsecu.re/mitigations/signify/
  2. Meaning if the key is stolen, people can only be informed the key should not be trusted anymore.
  3. https://packages.debian.org/bullseye/signify-openbsd


Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

Retrieved from "https://www.kicksecure.com/w/index.php?title=Signify&oldid=54246"