Jump to content

signify (OpenBSD)

From Wikipedia, the free encyclopedia
signify
Original author(s)Ted Unangst, Marc Espie[1]
Developer(s)OpenBSD[2]
Initial release1 May 2014; 10 years ago (2014-05-01)
Repositorygithub.com/aperezdc/signify
Written inC
Operating systemOpenBSD,[1] Linux,[3] Microsoft Windows[4]
LicenseISC license[3]

signify is a free and open source tool developed by OpenBSD to generate and verify signatures.[1]

It makes use of Ed25519 and was created to enable the OpenBSD project to sign releases while not having to use GnuPG since its code complexity didn't comply with OpenBSD's standards for security and maintainability.[2]

Contrary to OpenPGP keys, signify keys are meant to be rotated frequently and are not tied to an identity.[2]

OpenBSD for example includes the next signing public key in each release. When version 5.6 was released, the keys for version 5.8 were generated to be included in version 5.7.[2]

Background

[edit]

The creator of the signify utility, Ted Unangst, wrote in 2015, speaking of OpenPGP and GnuPG: "The concerns I had using an existing tool were complexity, quality, and complexity."[2] This is in line with the project's longtime tendency to reduce complexity, and in turn, reduce the probability of vulnerabilities existing in the software, and help the user understand the software better and make more security-educated decisions. signify is integrated into the base operating system and used for verification of all releases, patches, and packages starting with OpenBSD 5.5.[5][6]

Format

[edit]

signify public keys are 56 base64 characters. The first two bytes of the decoded data specifies the algorithm.[7] The only currently supported algorithm is Ed25519 with the ID "Ed" but other algorithms can be added, for example to extend the software with post-quantum cryptography.[7]

The key and signature formats are prepended with an untrusted comment that can be manipulated and shouldn't be relied on.[7][1]

Examples

[edit]

Public key

[edit]
untrusted comment: signify public key
RWT8aOqwyEbFcBqOgENsuEDD2h8uBCWKxcX Fv1QQk7IGUrKhbcZUY09

Private key

[edit]
untrusted comment: signify secret key
RWRCSwAAAAARy9ex6GaxBnbYJirsxcF6LGvFOt5iF n8aOqwyEbFcORd11nFXvrzBLfyRObCJ JlSh7CKVBgOE3t108hAl9AGo6AQ2y4QMPaHy4EJYrFxf4W/VBCTsgZSsqFtxlRjT0=

Signature

[edit]
untrusted comment: verify with key.pub
RWT8aOqwyEbFcNswGh6YdUTl1JQ4ifAzmNjGQQVkcH2MIfH6In3xVgishY1k9JjL7TLMuUDsLGXNfXxIFHTZpSZ58qk5SJVy/gQ=

Signature with embedded message

[edit]
untrusted comment: verify with key.pub
RWT8aOqwyEbFcLj0u4//hJEOZBa3 e1FFhv8d1HUwgZDcG0PgL5lBO9veYucAn5NxuPc9qCSIaXZ6PoUX4GBcp
Ds0Pup81YhqA0=
Hello world!

Usage

[edit]

signify has 4 possible modes:[1]

signify -G [-n] [-c comment] -p pubkey -s seckey

to generate a new keypair and save the public part in a file named "pubkey" and the secret part in a file named "seckey"

signify -S [-enz] [-x sigfile] -s seckey -m message

to sign a file named "message" with the private key saved in "seckey" and store the signature in a file named "sigfile. Specifying -e embeds the message after the signature.

signify -V [-eqz] [-p pubkey] [-t keytype] [-x sigfile] -m message

to verify a file named "message" with the public keys stored in a file named "pubkey" and the signature stored in a file called "sigfile. Specifying -e extracts the embedded message from the signature and writes it into the message file.

signify -C [-q] [-p pubkey] [-t keytype] -x sigfile [file ...]

to verify a list of signed files with the "sigfile" being a signed list with the embedded output of the sha256 command.

Usage

[edit]

Apart from the obvious usage in OpenBSD, other projects also use signify:

In contrast, other Free Software operating systems and security-focused software tend to use OpenPGP for release verification, and as of 2024 continue to do so, including: Debian, a prominent operating system that's also used as a base for other operating systems, including Ubuntu;[10] Kali Linux, a specialized operating system for penetration testing, security research, digital forensics, and reverse engineering;[11] Qubes OS, a security-focused operating system;[12] Tor Browser, an anonymous Web browser;[13] SecureDrop, a software package for journalists and whistleblowers to exchange information securely and anonymously over the Internet;[14] and VeraCrypt, a software program for on-the-fly encryption and full disk encryption.[15]

References

[edit]
  1. ^ a b c d e "signify(1)". OpenBSD manual pages. Retrieved 2024-12-11.
  2. ^ a b c d e "signify: Securing OpenBSD From Us To You". OpenBSD. Retrieved 2024-12-11.
  3. ^ a b "aperezdc/signify: OpenBSD tool to sign and verify signatures on files. Portable version". GitHub. 2014-01-14. Retrieved 2024-12-11.
  4. ^ "stoeckmann/signify-windows: OpenBSD signify for Windows systems". GitHub. 2015-10-20. Retrieved 2024-12-11.
  5. ^ "OpenBSD 5.5". www.openbsd.org. Retrieved 12 July 2022.
  6. ^ "OpenBSD: Innovations". www.openbsd.org.
  7. ^ a b c "sign and verify". flak. 2013-12-31. Retrieved 2024-12-11.
  8. ^ "Dive into anything". Reddit. 2024-12-11. Retrieved 2024-12-11.
  9. ^ "usign". Retrieved 2024-12-11.
  10. ^ "Verifying authenticity of Debian images". www.debian.org. Retrieved 12 July 2022.
  11. ^ "Download Kali Linux Images Securely | Kali Linux Documentation". Kali Linux. Retrieved 12 July 2022.
  12. ^ "Verifying signatures". Qubes OS. Retrieved 12 July 2022.
  13. ^ "How can I verify Tor Browser's signature? | Tor Project | Support". support.torproject.org. Retrieved 12 July 2022.
  14. ^ "Share and accept documents securely". SecureDrop. Freedom of the Press Foundation. Retrieved 12 July 2022.
  15. ^ "VeraCrypt - Free Open source disk encryption with strong security for the Paranoid". veracrypt.fr. IDRIX. Retrieved 12 July 2022.