Banner image of Signify

Signify

We look at OpenBSD’s Signify. You can use Signify as an alternative to GnuPG or Minisign for signing and verifying files.

Always stay in the loop!
Subscribe to our RSS/Atom feed.

Signify uses Ed25519 for cryptographic signing and verification. OpenBSD developers use Signify extensively for signing. Actually, Ted Unangst developed the tool to sign and verify OpenBSD’s files. Besides, some other projects rely on Signify, like Wireguard, radare2, or LibreSSL.

The current version of Signify is v30, released on September 24, 2020.

Create a key pair

Download and install Signify on your platform. Then, enter signify -G -p signify.pub -s signify.sec to create a key pair in the current directory. Set a strong password, ideally by using a password manager.

As you see, we specify “-p” for the public verification key “signify.pub,” and “-s” for the secret signing key “signify.sec.”

Warning
If you create a new key pair, you get two files: The file that ends with ".sec" is your private signing key. Do not share it. The file that ends with ".pub" is your public verification key. Share this file with everybody who needs to verify your signatures.

The contents of cat signify.pub look like:

untrusted comment: signify public key of InfoSec Handbook RWSdP65piDd+OZWjsPeIWQKHCOBbF0XSDRIA6uby560mpcZVFaCU8USG

The first line is an “untrusted” comment. “Untrusted” means that it isn’t signed and can be changed. The second line is the Base64 encoded public key.

After creating a key pair, the workflow is similar to tools like GnuPG or Minisign: You publish your public key “signify.pub” and use your local private key “signify.sec” to sign files.

Sign a file

To sign files, enter: signify -S -s signify.sec -m [file-to-sign] -x [signature-file]. After entering the passphrase for the private key, Signify signs the “[file-to-sign]” and stores the signature in “[signature-file].” If you don’t specify “-x,” Signify uses “[file-to-sign].sig.”

Verify a file

You can verify the file’s signature by entering: signify -V -p signify.pub -m [file-to-sign].

Again, “-x” can be specified for a custom signature file. If the signature is correct, you see “Signature Verified.” If the provided file differs from the original one, you get “signify: signature verification failed.” If the signature file is corrupted, you see “signify: unable to parse [signature-file].”

The signature file looks like:

untrusted comment: verify with signify.pub RWSdP65piDd+OVoglh1oEzICs3q/OIVN4p5DC0TscWfy/kjtC2wdDKGtBbW2/uKbxLcw5qvA/jTr8YNNe2X0T8xY/n0wjItd9gs=

Tips

  • Rename your “signify.pub” and “signify.sec” files if you need numerous key pairs.
  • Always use password managers to store credentials, including your password for Signify.

Conclusion

OpenBSD’s Signify is a modern tool that allows you to sign and verify files. In our opinion, it is a stable alternative since OpenBSD uses Signify extensively.

We republished this article in July 2021.

Read also