Signify: Cryptographically Sign and Verify Files

From Kicksecure
Jump to navigation Jump to search

HowTo: Use Signify on Debian (based) Distributions

Introduction[edit]

Written in 2014 for OpenBSD, signify is a tool to cryptographically sign and verify files: [1]

It only supports a single algorithm, Ed25519, created by djb and his gang. It’s fast, immune to timing attacks by design, produce deterministic signatures, uses small keys and produce small signatures, … it does look like a sound choice.

Signify's main benefits is that it has a small codebase and is not based on GnuPG. On the downside, there is no revocation mechanism [2] and the trust path relies on getting the key directly from a trusted developer. [1]

Signify's usage is not just limited to OpenBSD and the tool has also been been packaged in Debian. [3] To learn more about signify, refer to this blog postarchive.org iconarchive.today icon by the original author.

Installation and Usage[edit]

Info In the steps below, installing package qrencode is optional and only needed if you intend to create QR codes.

1. Install signify.

Install package(s) signify-openbsd qrencode following these instructions

1 Platform specific notice.

2 Update the package lists and upgrade the systemOnion Logo.

Click = Copy Copied to clipboard! sudo apt update && sudo apt full-upgrade

3 Install the signify-openbsd qrencode package(s).

Using apt command line --no-install-recommends optionOnion Logo is in most cases optional.

Click = Copy Copied to clipboard! sudo apt install --no-install-recommends signify-openbsd qrencode

4 Platform specific notice.

  • Kicksecure: No special notice.
  • Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template ModificationOnion Logo.

5 Done.

The procedure of installing package(s) signify-openbsd qrencode is complete.

2. Create a key.

This only needs to be done once unless multiple keys are desired; in that case different key names should be used. In the following example, keyname is used as the sample key name.

Click = Copy Copied to clipboard! signify-openbsd -G -p keyname.pub -s keyname.sec

3. Optional: Add a key comment.

Replace comments here with the actual comment but keep the ". The comment could be a name, position, website, e-mail address and/or anything else.

Click = Copy Copied to clipboard! signify-openbsd -G -p keyname.pub -s keyname.sec -c "comments here"

Note:

  • The private key file keyname.sec needs to stay private -- never share keyname.sec with anyone as this would defeat the purpose of signing files!
  • The public key file keyname.pub can be shared with anyone.

4. Utilize signify.

To sign a file message.txt (which has to be created by the user beforehand).

Click = Copy Copied to clipboard! signify-openbsd -S -s keyname.sec -m message.txt

This will create a signature file message.txt.sig.

To verify a file message.txt with signature file message.txt.sig.

Click = Copy Copied to clipboard! signify-openbsd -V -p keyname.pub -m message.txt

5. Optional: Create a QR code for the public key.

Click = Copy Copied to clipboard! qrencode -r keyname.pub -o keyname.pub.png

File keyname.pub.png would be the QR code of the public key.

Refer to the Debian signify-openbsd Manual Pagearchive.org iconarchive.today icon for further options.

[4]

See Also[edit]

Footnotes[edit]

  1. Jump up to: 1.0 1.1 https://isopenbsdsecu.re/mitigations/signify/archive.org iconarchive.today icon
  2. Meaning if the key is stolen, people can only be informed the key should not be trusted anymore.
  3. https://packages.debian.org/bookworm/signify-openbsdarchive.org iconarchive.today icon
Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

Retrieved from "https://www.kicksecure.com/w/index.php?title=Signify&oldid=84618"