A dead simple tool to sign files and verify signatures.
- Minisign
Minisign is a tool to sign files and verify signatures. It's designed to be:
- Simple to use
- Secure (based on modern cryptography)
- Minimal (focused on doing one thing well)
- Cross-platform
Minisign uses the Ed25519 public-key signature system with small and fast signatures.
For comprehensive documentation, please refer to the Minisign documentation website or the included man page.
Minisign is available in various package managers:
| Platform | Command |
|---|---|
| macOS (Homebrew) | brew install minisign |
| Windows (Scoop) | scoop install minisign |
| Windows (Chocolatey) | choco install minisign |
Dependencies:
Compilation options:
- With libsodium, dynamically linked:
zig build -Doptimize=ReleaseSmall- With libsodium, statically linked:
zig build -Doptimize=ReleaseSmall -Dstatic- Without libsodium (no dependencies required):
zig build -Doptimize=ReleaseSmall -Dwithout-libsodiumThe resulting binary can be found in zig-out/bin/minisign.
For faster execution at the cost of larger binary size, you can replace ReleaseSmall with ReleaseFast in any of the above commands.
Dependencies:
- libsodium (required)
- cmake
- pkg-config
- gcc or clang
Compilation:
mkdir build
cd build
cmake ..
make
make install # with appropriate permissionsAlternative configuration for static binaries:
cmake -D STATIC_LIBSODIUM=1 ..or:
cmake -D BUILD_STATIC_EXECUTABLES=1 ..minisign -GThis creates:
- A public key (
minisign.pubby default) - A password-protected secret key (
minisign.keyby default)
minisign -S -m file.txtThis creates a signature file named file.txt.minisig.
To add a trusted comment that will be verified:
minisign -S -m file.txt -t "Trusted comment here"minisign -Vm file.txt -p minisign.pubor with a public key directly:
minisign -Vm file.txt -P RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3Tarballs and pre-compiled binaries from the project can be verified with the following public key:
RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3
Minisign is available as a Docker image:
docker run -i --rm jedisct1/minisignExample of verifying a signature using the Docker image:
docker run -v .:/minisign -e HOME=/minisign -w /minisign \
-it --rm jedisct1/minisign \
-Vm file_to_verify -p minisign.pubThe image can be verified with the following cosign public key:
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExjZWrlc6c58W7ZzmQnx6mugty99C
OQTDtJeciX9LF9hEbs1J1fzZHRdRhV4OTqcq0jTW9PXnrSSZlk1fbkE/5w==
-----END PUBLIC KEY-----
Minisign is compatible with signify, the OpenBSD signing tool. Signatures created with signify can be verified with minisign, and vice versa.
This implementation uses deterministic signatures, unless libsodium was compiled with the ED25519_NONDETERMINISTIC macro defined. This adds random noise to the computation of EdDSA nonces.
Other implementations can choose to use non-deterministic signatures by default. They will remain fully interoperable with implementations using deterministic signatures.
- minizign - Compact implementation in Zig that can also use ssh-encoded keys
- minisign-misc - Set of workflows and scripts for macOS to verify and sign files
- go-minisign - Go module to verify Minisign signatures
- rust-minisign - Minisign library in pure Rust
- rsign2 - Reimplementation of the command-line tool in Rust
- minisign (go) - Rewrite in Go language (CLI and library)
- minisign-verify - Small Rust crate to verify Minisign signatures
- minisign-net - .NET library for Minisign signatures
- minisign - Javascript implementation
- WebAssembly implementations: rsign2 and minisign-cli on WAPM
- minisign-php - PHP implementation
- py-minisign - Python implementation
- minisign - Elixir implementation (verification only)