Signify (OpenBSD)

Last updated
signify
Original author(s) Ted Unangst, Marc Espie [1]
Developer(s) OpenBSD [2]
Initial release1 May 2014;10 years ago (2014-05-01)
Repository github.com/aperezdc/signify
Written in C
Operating system OpenBSD, [1] Linux, [3] Microsoft Windows [4]
License ISC license [3]

signify is a free and open source tool developed by OpenBSD to generate and verify signatures. [1]

Contents

It makes use of Ed25519 and was created to enable the OpenBSD project to sign releases while not having to use GnuPG since its code complexity didn't comply with OpenBSD's standards for security and maintainability. [2]

Contrary to OpenPGP keys, signify keys are meant to be rotated frequently and are not tied to an identity. [2]

OpenBSD for example includes the next signing public key in each release. When version 5.6 was released, the keys for version 5.8 were generated to be included in version 5.7. [2]

Background

The creator of the signify utility, Ted Unangst, wrote in 2015, speaking of OpenPGP and GnuPG: "The concerns I had using an existing tool were complexity, quality, and complexity." [2] This is in line with the project's longtime tendency to reduce complexity, and in turn, reduce the probability of vulnerabilities existing in the software, and help the user understand the software better and make more security-educated decisions. signify is integrated into the base operating system and used for verification of all releases, patches, and packages starting with OpenBSD 5.5. [5] [6]

Format

signify public keys are 56 base64 characters. The first two bytes of the decoded data specifies the algorithm. [7] The only currently supported algorithm is Ed25519 with the ID "Ed" but other algorithms can be added, for example to extend the software with post-quantum cryptography. [7]

The key and signature formats are prepended with an untrusted comment that can be manipulated and shouldn't be relied on. [7] [1]

Examples

Public key

untrusted comment: signify public key RWT8aOqwyEbFcBqOgENsuEDD2h8uBCWKxcX+Fv1QQk7IGUrKhbcZUY09

Secret key

untrusted comment: signify secret key RWRCSwAAAAARy9ex6GaxBnbYJirsxcF6LGvFOt5iF+n8aOqwyEbFcORd11nFXvrzBLfyRObCJ+JlSh7CKVBgOE3t108hAl9AGo6AQ2y4QMPaHy4EJYrFxf4W/VBCTsgZSsqFtxlRjT0=

Signature

untrusted comment: verify with key.pub RWT8aOqwyEbFcNswGh6YdUTl1JQ4ifAzmNjGQQVkcH2MIfH6In3xVgishY1k9JjL7TLMuUDsLGXNfXxIFHTZpSZ58qk5SJVy/gQ=

Signature with embedded message

untrusted comment: verify with key.pub RWT8aOqwyEbFcLj0u4//hJEOZBa3+e1FFhv8d1HUwgZDcG0PgL5lBO9veYucAn5NxuPc9qCSIaXZ6PoUX4GBcp Ds0Pup81YhqA0= Hello world!

Usage

signify has 4 possible modes: [1] 

signify -G [-n] [-c comment] -p pubkey -s seckey

to generate a new keypair and save the public part in a file named "pubkey" and the secret part in a file named "seckey"

signify -S [-enz] [-x sigfile] -s seckey -m message

to sign a file named "message" with the private key saved in "seckey" and store the signature in a file named "sigfile. Specifying -e embeds the message after the signature.

signify -V [-eqz] [-p pubkey] [-t keytype] [-x sigfile] -m message

to verify a file named "message" with the public keys stored in a file named "pubkey" and the signature stored in a file called "sigfile. Specifying -e extracts the embedded message from the signature and writes it into the message file.

signify -C [-q] [-p pubkey] [-t keytype] -x sigfile [file ...]

to verify a list of signed files with the "sigfile" being a signed list with the embedded output of the sha256 command.

Usage

Apart from the obvious usage in OpenBSD, other projects also use signify:

In contrast, other Free Software operating systems and security-focused software tend to use OpenPGP for release verification, and as of 2024 continue to do so, including: Debian, a prominent operating system that's also used as a base for other operating systems, including Ubuntu; [10] Kali Linux, a specialized operating system for penetration testing, security research, digital forensics, and reverse engineering; [11] Qubes OS, a security-focused operating system; [12] Tor Browser, an anonymous Web browser; [13] SecureDrop, a software package for journalists and whistleblowers to exchange information securely and anonymously over the Internet; [14] and VeraCrypt, a software program for on-the-fly encryption and full disk encryption. [15]

References

  1. 1 2 3 4 5 "signify(1)". OpenBSD manual pages. Retrieved 2024-12-11.
  2. 1 2 3 4 5 "signify: Securing OpenBSD From Us To You". OpenBSD. Retrieved 2024-12-11.
  3. 1 2 "aperezdc/signify: OpenBSD tool to sign and verify signatures on files. Portable version". GitHub. 2014-01-14. Retrieved 2024-12-11.
  4. "stoeckmann/signify-windows: OpenBSD signify for Windows systems". GitHub. 2015-10-20. Retrieved 2024-12-11.
  5. "OpenBSD 5.5". www.openbsd.org. Retrieved 12 July 2022.
  6. "OpenBSD: Innovations". www.openbsd.org.
  7. 1 2 3 "sign and verify". flak. 2013-12-31. Retrieved 2024-12-11.
  8. "Dive into anything". Reddit. 2024-12-11. Retrieved 2024-12-11.
  9. "usign" . Retrieved 2024-12-11.
  10. "Verifying authenticity of Debian images". www.debian.org. Retrieved 12 July 2022.
  11. "Download Kali Linux Images Securely | Kali Linux Documentation". Kali Linux. Retrieved 12 July 2022.
  12. "Verifying signatures". Qubes OS. Retrieved 12 July 2022.
  13. "How can I verify Tor Browser's signature? | Tor Project | Support". support.torproject.org. Retrieved 12 July 2022.
  14. "Share and accept documents securely". SecureDrop. Freedom of the Press Foundation. Retrieved 12 July 2022.
  15. "VeraCrypt - Free Open source disk encryption with strong security for the Paranoid". veracrypt.fr. IDRIX. Retrieved 12 July 2022.
    This page is based on this Wikipedia article
    Text is available under the CC BY-SA 4.0 license; additional terms may apply.
    Images, videos and audio are available under their respective licenses.