Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages

minisign - A dead simple tool to sign files and verify signatures.

minisign -G [-p pubkey] [-s seckey] minisign -S [-H] [-x sigfile] [-s seckey] [-c untrusted_comment] [-t trusted_comment] -m <file> minisign -V [-x sigfile] [-p pubkeyfile | -P pubkey] [-o] [-q] -m file

Minisign is a dead simple tool to sign files and verify signatures.
It is portable, lightweight, and uses the highly secure Ed25519 public-key signature system.

These options control the actions of minisign.
Generate a new key pair
Sign a file
Verify that a signature is valid for a given file
-m <file>
File to sign/verify
Combined with -V, output the file content after verification
Combined with -S, pre-hash in order to sign large files
-p <pubkeyfile>
Public key file (default: ./
-P <pubkey>
Public key, as a base64 string
-s <seckey>
Secret key file (default: ~/.minisign/minisign.key)
-x <sigfile>
Signature file (default: <file>.minisig)
-c <comment>
Add a one-line untrusted comment
-t <comment>
Add a one-line trusted comment
Quiet mode, suppress output
Pretty quiet mode, only print the trusted comment
Force. Combined with -G, overwrite a previous key pair
Display version number

Creating a key pair
minisign -G
The public key is printed and put into the file. The secret key is encrypted and saved as a file named ~/.minisign/minisign.key.
Signing a file
$ minisign -Sm myfile.txt
Or to include a comment in the signature, that will be verified and displayed when verifying the file:
$ minisign -Sm myfile.txt -t ´This comment will be signed as well´
The secret key is loaded from ${MINISIGN_CONFIG_DIR}/minisign.key, ~/.minisign/minisign.key, or its path can be explicitly set with the -s <path> command-line switch.
Verifying a file
$ minisign -Vm myfile.txt -p <pubkey>
$ minisign -Vm myfile.txt -p
This requires the signature myfile.txt.minisig to be present in the same directory.
The public key can either reside in a file ( ./ by default) or be directly specified on the command line.

Trusted comments
Signature files include an untrusted comment line that can be freely modified, even after signature creation.
They also include a second comment line, that cannot be modified without the secret key.
Trusted comments can be used to add instructions or application-specific metadata (intended file name, timestamps, resource identifiers, version numbers to prevent downgrade attacks).
Compatibility with OpenBSD signify
Signatures written by minisign can be verified using OpenBSD´s signify tool: public key files and signature files are compatible.
However, minisign uses a slightly different format to store secret keys.
Minisign signatures include trusted comments in addition to untrusted comments. Trusted comments are signed, thus verified, before being displayed.
This adds two lines to the signature files, that signify silently ignores.
By default, signing and verification require as much memory as the size of the file.
Since Minisign 0.6, huge files can be signed and verified with very low memory requirements, by pre-hashing the content.
The -H command-line switch, in combination with -S, generates a pre-hashed signature (HashEdDSA):
$ minisign -SHm myfile.txt
Verification of such a signature doesn´t require any specific switch: the appropriate algorithm will automatically be detected.
Signatures generated that way are not compatible with OpenBSD´s signify tool and are not compatible with Minisign versions prior to 0.6.

Frank Denis (github [at] pureftpd [dot] org)
August 2016

Search for    or go to Top of page |  Section 1 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.