Always stay in the loop!
Subscribe to our RSS/Atom feed.
Signify uses Ed25519 for cryptographic signing and verification. OpenBSD developers use Signify extensively for signing. Actually, Ted Unangst developed the tool to sign and verify OpenBSD’s files. Besides, some other projects rely on Signify, like Wireguard, radare2, or LibreSSL.
The current version of Signify is v30, released on September 24, 2020.
Create a key pair
Download and install Signify on your platform. Then, enter signify -G -p signify.pub -s signify.sec to create a key pair in the current directory. Set a strong password, ideally by using a password manager.
As you see, we specify “-p” for the public verification key “signify.pub,” and “-s” for the secret signing key “signify.sec.”
The contents of cat signify.pub look like:
untrusted comment: signify public key of InfoSec Handbook RWSdP65piDd+OZWjsPeIWQKHCOBbF0XSDRIA6uby560mpcZVFaCU8USG
The first line is an “untrusted” comment. “Untrusted” means that it isn’t signed and can be changed. The second line is the Base64 encoded public key.
After creating a key pair, the workflow is similar to tools like GnuPG or Minisign: You publish your public key “signify.pub” and use your local private key “signify.sec” to sign files.
Sign a file
To sign files, enter: signify -S -s signify.sec -m [file-to-sign] -x [signature-file]. After entering the passphrase for the private key, Signify signs the “[file-to-sign]” and stores the signature in “[signature-file].” If you don’t specify “-x,” Signify uses “[file-to-sign].sig.”
Verify a file
You can verify the file’s signature by entering: signify -V -p signify.pub -m [file-to-sign].
Again, “-x” can be specified for a custom signature file. If the signature is correct, you see “Signature Verified.” If the provided file differs from the original one, you get “signify: signature verification failed.” If the signature file is corrupted, you see “signify: unable to parse [signature-file].”
The signature file looks like:
untrusted comment: verify with signify.pub RWSdP65piDd+OVoglh1oEzICs3q/OIVN4p5DC0TscWfy/kjtC2wdDKGtBbW2/uKbxLcw5qvA/jTr8YNNe2X0T8xY/n0wjItd9gs=
- Rename your “signify.pub” and “signify.sec” files if you need numerous key pairs.
- Always use password managers to store credentials, including your password for Signify.
OpenBSD’s Signify is a modern tool that allows you to sign and verify files. In our opinion, it is a stable alternative since OpenBSD uses Signify extensively.
We republished this article in July 2021.
- Signify - Sign and Verifyexternal link