signify (OpenBSD)
Original author(s) | Ted Unangst, Marc Espie[1] |
---|---|
Developer(s) | OpenBSD[2] |
Initial release | 1 May 2014 |
Repository | github |
Written in | C |
Operating system | OpenBSD,[1] Linux,[3] Microsoft Windows[4] |
License | ISC license[3] |
signify is a free and open source tool developed by OpenBSD to generate and verify signatures.[1]
It makes use of Ed25519 and was created to enable the OpenBSD project to sign releases while not having to use GnuPG since its code complexity didn't comply with OpenBSD's standards for security and maintainability.[2]
Contrary to OpenPGP keys, signify keys are meant to be rotated frequently and are not tied to an identity.[2]
OpenBSD for example includes the next signing public key in each release. When version 5.6 was released, the keys for version 5.8 were generated to be included in version 5.7.[2]
Background
[edit]The creator of the signify
utility, Ted Unangst, wrote in 2015, speaking of OpenPGP and GnuPG: "The concerns I had using an existing tool were complexity, quality, and complexity."[2] This is in line with the project's longtime tendency to reduce complexity, and in turn, reduce the probability of vulnerabilities existing in the software, and help the user understand the software better and make more security-educated decisions. signify
is integrated into the base operating system and used for verification of all releases, patches, and packages starting with OpenBSD 5.5.[5][6]
Format
[edit]signify
public keys are 56 base64 characters. The first two bytes of the decoded data specifies the algorithm.[7]
The only currently supported algorithm is Ed25519 with the ID "Ed" but other algorithms can be added, for example to extend the software with post-quantum cryptography.[7]
The key and signature formats are prepended with an untrusted comment that can be manipulated and shouldn't be relied on.[7][1]
Examples
[edit]Public key
[edit]untrusted comment: signify public key RWT8aOqwyEbFcBqOgENsuEDD2h8uBCWKxcX Fv1QQk7IGUrKhbcZUY09
Private key
[edit]untrusted comment: signify secret key RWRCSwAAAAARy9ex6GaxBnbYJirsxcF6LGvFOt5iF n8aOqwyEbFcORd11nFXvrzBLfyRObCJ JlSh7CKVBgOE3t108hAl9AGo6AQ2y4QMPaHy4EJYrFxf4W/VBCTsgZSsqFtxlRjT0=
Signature
[edit]untrusted comment: verify with key.pub RWT8aOqwyEbFcNswGh6YdUTl1JQ4ifAzmNjGQQVkcH2MIfH6In3xVgishY1k9JjL7TLMuUDsLGXNfXxIFHTZpSZ58qk5SJVy/gQ=
Signature with embedded message
[edit]untrusted comment: verify with key.pub RWT8aOqwyEbFcLj0u4//hJEOZBa3 e1FFhv8d1HUwgZDcG0PgL5lBO9veYucAn5NxuPc9qCSIaXZ6PoUX4GBcp Ds0Pup81YhqA0= Hello world!
Usage
[edit]signify
has 4 possible modes:[1]
signify -G [-n] [-c comment] -p pubkey -s seckey
to generate a new keypair and save the public part in a file named "pubkey" and the secret part in a file named "seckey"
signify -S [-enz] [-x sigfile] -s seckey -m message
to sign a file named "message" with the private key saved in "seckey" and store the signature in a file named "sigfile. Specifying -e embeds the message after the signature.
signify -V [-eqz] [-p pubkey] [-t keytype] [-x sigfile] -m message
to verify a file named "message" with the public keys stored in a file named "pubkey" and the signature stored in a file called "sigfile. Specifying -e extracts the embedded message from the signature and writes it into the message file.
signify -C [-q] [-p pubkey] [-t keytype] -x sigfile [file ...]
to verify a list of signed files with the "sigfile" being a signed list with the embedded output of the sha256 command.
Usage
[edit]Apart from the obvious usage in OpenBSD, other projects also use signify:
- GrapheneOS[8]
- OpenWRT (slightly modified variant)[9]
In contrast, other Free Software operating systems and security-focused software tend to use OpenPGP for release verification, and as of 2024 continue to do so, including: Debian, a prominent operating system that's also used as a base for other operating systems, including Ubuntu;[10] Kali Linux, a specialized operating system for penetration testing, security research, digital forensics, and reverse engineering;[11] Qubes OS, a security-focused operating system;[12] Tor Browser, an anonymous Web browser;[13] SecureDrop, a software package for journalists and whistleblowers to exchange information securely and anonymously over the Internet;[14] and VeraCrypt, a software program for on-the-fly encryption and full disk encryption.[15]
References
[edit]- ^ a b c d e "signify(1)". OpenBSD manual pages. Retrieved 2024-12-11.
- ^ a b c d e "signify: Securing OpenBSD From Us To You". OpenBSD. Retrieved 2024-12-11.
- ^ a b "aperezdc/signify: OpenBSD tool to sign and verify signatures on files. Portable version". GitHub. 2014-01-14. Retrieved 2024-12-11.
- ^ "stoeckmann/signify-windows: OpenBSD signify for Windows systems". GitHub. 2015-10-20. Retrieved 2024-12-11.
- ^ "OpenBSD 5.5". www.openbsd.org. Retrieved 12 July 2022.
- ^ "OpenBSD: Innovations". www.openbsd.org.
- ^ a b c "sign and verify". flak. 2013-12-31. Retrieved 2024-12-11.
- ^ "Dive into anything". Reddit. 2024-12-11. Retrieved 2024-12-11.
- ^ "usign". Retrieved 2024-12-11.
- ^ "Verifying authenticity of Debian images". www.debian.org. Retrieved 12 July 2022.
- ^ "Download Kali Linux Images Securely | Kali Linux Documentation". Kali Linux. Retrieved 12 July 2022.
- ^ "Verifying signatures". Qubes OS. Retrieved 12 July 2022.
- ^ "How can I verify Tor Browser's signature? | Tor Project | Support". support.torproject.org. Retrieved 12 July 2022.
- ^ "Share and accept documents securely". SecureDrop. Freedom of the Press Foundation. Retrieved 12 July 2022.
- ^ "VeraCrypt - Free Open source disk encryption with strong security for the Paranoid". veracrypt.fr. IDRIX. Retrieved 12 July 2022.