Signify (OpenBSD)

Last updated
signify
Original author(s) Ted Unangst, Marc Espie [1]
Developer(s) OpenBSD [2]
Initial release1 May 2014;10 years ago (2014-05-01)
Repository github.com/aperezdc/signify
Written in C
Operating system OpenBSD, [1] Linux, [3] Microsoft Windows [4]
License ISC license [3]

signify is a free and open source tool developed by OpenBSD to generate and verify signatures. [1]

Contents

It makes use of Ed25519 and was created to enable the OpenBSD project to sign releases while not having to use GnuPG since its code complexity didn't comply with OpenBSD's standards for security and maintainability. [2]

Contrary to OpenPGP keys, signify keys are meant to be rotated frequently and are not tied to an identity. [2]

OpenBSD for example includes the next signing public key in each release. When version 5.6 was released, the keys for version 5.8 were generated to be included in version 5.7. [2]

Background

The creator of the signify utility, Ted Unangst, wrote in 2015, speaking of OpenPGP and GnuPG: "The concerns I had using an existing tool were complexity, quality, and complexity." [2] This is in line with the project's longtime tendency to reduce complexity, and in turn, reduce the probability of vulnerabilities existing in the software, and help the user understand the software better and make more security-educated decisions. signify is integrated into the base operating system and used for verification of all releases, patches, and packages starting with OpenBSD 5.5. [5] [6]

Format

signify public keys are 56 base64 characters. The first two bytes of the decoded data specifies the algorithm. [7] The only currently supported algorithm is Ed25519 with the ID "Ed" but other algorithms can be added, for example to extend the software with post-quantum cryptography. [7]

The key and signature formats are prepended with an untrusted comment that can be manipulated and shouldn't be relied on. [7] [1]

Examples

Public key

untrusted comment: signify public key RWT8aOqwyEbFcBqOgENsuEDD2h8uBCWKxcX+Fv1QQk7IGUrKhbcZUY09

Private key

untrusted comment: signify secret key RWRCSwAAAAARy9ex6GaxBnbYJirsxcF6LGvFOt5iF+n8aOqwyEbFcORd11nFXvrzBLfyRObCJ+JlSh7CKVBgOE3t108hAl9AGo6AQ2y4QMPaHy4EJYrFxf4W/VBCTsgZSsqFtxlRjT0=

Signature

untrusted comment: verify with key.pub RWT8aOqwyEbFcNswGh6YdUTl1JQ4ifAzmNjGQQVkcH2MIfH6In3xVgishY1k9JjL7TLMuUDsLGXNfXxIFHTZpSZ58qk5SJVy/gQ=

Signature with embedded message

untrusted comment: verify with key.pub RWT8aOqwyEbFcLj0u4//hJEOZBa3+e1FFhv8d1HUwgZDcG0PgL5lBO9veYucAn5NxuPc9qCSIaXZ6PoUX4GBcp Ds0Pup81YhqA0= Hello world!

Usage

signify has 4 possible modes: [1] 

signify -G [-n] [-c comment] -p pubkey -s seckey

to generate a new keypair and save the public part in a file named "pubkey" and the secret part in a file named "seckey"

signify -S [-enz] [-x sigfile] -s seckey -m message

to sign a file named "message" with the private key saved in "seckey" and store the signature in a file named "sigfile. Specifying -e embeds the message after the signature.

signify -V [-eqz] [-p pubkey] [-t keytype] [-x sigfile] -m message

to verify a file named "message" with the public keys stored in a file named "pubkey" and the signature stored in a file called "sigfile. Specifying -e extracts the embedded message from the signature and writes it into the message file.

signify -C [-q] [-p pubkey] [-t keytype] -x sigfile [file ...]

to verify a list of signed files with the "sigfile" being a signed list with the embedded output of the sha256 command.

Usage

Apart from the obvious usage in OpenBSD, other projects also use signify:

In contrast, other Free Software operating systems and security-focused software tend to use OpenPGP for release verification, and as of 2024 continue to do so, including: Debian, a prominent operating system that's also used as a base for other operating systems, including Ubuntu; [10] Kali Linux, a specialized operating system for penetration testing, security research, digital forensics, and reverse engineering; [11] Qubes OS, a security-focused operating system; [12] Tor Browser, an anonymous Web browser; [13] SecureDrop, a software package for journalists and whistleblowers to exchange information securely and anonymously over the Internet; [14] and VeraCrypt, a software program for on-the-fly encryption and full disk encryption. [15]

Related Research Articles

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991.

<span class="mw-page-title-main">Public-key cryptography</span> Cryptographic system with public and private keys

Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic algorithms based on mathematical problems termed one-way functions. Security of public-key cryptography depends on keeping the private key secret; the public key can be openly distributed without compromising security. There are many kinds of public-key cryptosystems, with different security goals, including digital signature, Diffie-Hellman key exchange, public-key key encapsulation, and public-key encryption.

The Secure Shell (SSH) Protocol is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.

<span class="mw-page-title-main">GNU Privacy Guard</span> Complete implementation of the OpenPGP and S/MIME standards

GNU Privacy Guard is a free-software replacement for Symantec's cryptographic software suite PGP. The software is compliant with the now obsoleted RFC 4880, the IETF standards-track specification of OpenPGP. Modern versions of PGP are interoperable with GnuPG and other OpenPGP v4-compliant systems.

CAcert.org is a community-driven certificate authority that issues free X.509 public key certificates. CAcert.org relies heavily on automation and therefore issues only Domain-validated certificates.

<span class="mw-page-title-main">OpenSSL</span> Open-source implementation of the SSL and TLS protocols

OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.

deb is the format, as well as filename extension of the software package format for the Debian Linux distribution and its derivatives.

S/MIME is a standard for public-key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFC 8551. It was originally developed by RSA Data Security, and the original specification used the IETF MIME specification with the de facto industry standard PKCS #7 secure message format. Change control to S/MIME has since been vested in the IETF, and the specification is now layered on Cryptographic Message Syntax (CMS), an IETF specification that is identical in most respects with PKCS #7. S/MIME functionality is built into the majority of modern email software and interoperates between them. Since it is built on CMS, MIME can also hold an advanced digital signature.

In computer security, a sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software vulnerabilities from spreading. The sandbox metaphor derives from the concept of a child's sandbox—a play area where children can build, destroy, and experiment without causing any real-world damage. It is often used to kill untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system. A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as storage and memory scratch space. Network access, the ability to inspect the host system, or read from input devices are usually disallowed or heavily restricted.

The OpenBSD operating system focuses on security and the development of security features. According to author Michael W. Lucas, OpenBSD "is widely regarded as the most secure operating system available anywhere, under any licensing terms."

cryptlib is an open-source cross-platform software security toolkit library. It is distributed under the Sleepycat License, a free software license compatible with the GNU General Public License. Alternatively, cryptlib is available under a proprietary license for those preferring to use it under proprietary terms.

This is a technical feature comparison of different disk encryption software.

Email encryption is encryption of email messages to protect the content from being read by entities other than the intended recipients. Email encryption may also include authentication.

<span class="mw-page-title-main">Tinfoil Hat Linux</span> Security-focused Linux distribution

Tinfoil Hat Linux (THL) is a compact security-focused Linux distribution designed for high security developed by The Shmoo Group. The first version (1.000) was released in February 2002. By 2013, it had become a low-priority project. Its image files and source are available in gzip format. THL can be used on modern PCs using an Intel 80386 or better, with at least 8 MB of RAM. The distribution fits on a single HD floppy disk. The small footprint provides additional benefits beyond making the system easy to understand and verify. A hard drive is not required to use THL, making it easier to "sanitize" the computer after use.

In cryptography, Curve25519 is an elliptic curve used in elliptic-curve cryptography (ECC) offering 128 bits of security and designed for use with the Elliptic-curve Diffie–Hellman (ECDH) key agreement scheme. It is one of the fastest curves in ECC, and is not covered by any known patents. The reference implementation is public domain software.

<span class="mw-page-title-main">Linoma Software</span>

Linoma Software was a developer of secure managed file transfer and IBM i software solutions. The company was acquired by HelpSystems in June 2016. Mid-sized companies, large enterprises and government entities use Linoma's software products to protect sensitive data and comply with data security regulations such as PCI DSS, HIPAA/HITECH, SOX, GLBA and state privacy laws. Linoma's software runs on a variety of platforms including Windows, Linux, UNIX, IBM i, AIX, Solaris, HP-UX and Mac OS X.

<span class="mw-page-title-main">OpenSSH</span> Set of computer programs providing encrypted communication sessions

OpenSSH is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture.

<span class="mw-page-title-main">Cryptocat</span> Open source encrypted chat application

Cryptocat is a discontinued open-source desktop application intended to allow encrypted online chatting available for Windows, OS X, and Linux. It uses end-to-end encryption to secure all communications to other Cryptocat users. Users are given the option of independently verifying their buddies' device lists and are notified when a buddy's device list is modified and all updates are verified through the built-in update downloader.

In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves. It is designed to be faster than existing digital signature schemes without sacrificing security. It was developed by a team including Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. The reference implementation is public-domain software.

<span class="mw-page-title-main">Mailfence</span> Encrypted email service

Mailfence is an encrypted email service with a focus on security and privacy that offers OpenPGP based end-to-end encryption and digital signatures for usage in emails. It was launched in November 2013 by Belgium-based company ContactOffice Group, which has been operating an online collaboration suite since 1999.

References

  1. 1 2 3 4 5 "signify(1)". OpenBSD manual pages. Retrieved 2024-12-11.
  2. 1 2 3 4 5 "signify: Securing OpenBSD From Us To You". OpenBSD. Retrieved 2024-12-11.
  3. 1 2 "aperezdc/signify: OpenBSD tool to sign and verify signatures on files. Portable version". GitHub. 2014-01-14. Retrieved 2024-12-11.
  4. "stoeckmann/signify-windows: OpenBSD signify for Windows systems". GitHub. 2015-10-20. Retrieved 2024-12-11.
  5. "OpenBSD 5.5". www.openbsd.org. Retrieved 12 July 2022.
  6. "OpenBSD: Innovations". www.openbsd.org.
  7. 1 2 3 "sign and verify". flak. 2013-12-31. Retrieved 2024-12-11.
  8. "Dive into anything". Reddit. 2024-12-11. Retrieved 2024-12-11.
  9. "usign" . Retrieved 2024-12-11.
  10. "Verifying authenticity of Debian images". www.debian.org. Retrieved 12 July 2022.
  11. "Download Kali Linux Images Securely | Kali Linux Documentation". Kali Linux. Retrieved 12 July 2022.
  12. "Verifying signatures". Qubes OS. Retrieved 12 July 2022.
  13. "How can I verify Tor Browser's signature? | Tor Project | Support". support.torproject.org. Retrieved 12 July 2022.
  14. "Share and accept documents securely". SecureDrop. Freedom of the Press Foundation. Retrieved 12 July 2022.
  15. "VeraCrypt - Free Open source disk encryption with strong security for the Paranoid". veracrypt.fr. IDRIX. Retrieved 12 July 2022.
    This page is based on this Wikipedia article
    Text is available under the CC BY-SA 4.0 license; additional terms may apply.
    Images, videos and audio are available under their respective licenses.