libsignify_rs/

ops.rs

//
// signify-rs: cryptographically sign and verify files
// lib/src/ops.rs: Cryptographic operations
//
// Copyright (c) 2025, 2026 Ali Polatel <alip@chesswob.org>
// Based in part upon OpenBSD's signify which is:
//   Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
//   Copyright (c) 2016 Marc Espie <espie@openbsd.org>
//   Copyright (c) 2019 Adrian Perez de Castro <aperez@igalia.com>
//   Copyright (c) 2019 Scott Bennett and other contributors
//   SPDX-License-Identifier: ISC
//
// SPDX-License-Identifier: ISC

use crate::crypto::{
    self, derive_checksum, generate_keypair, kdf, COMMENTHDR, KDFALG, KEYNUMLEN, PKALG, SALT_LEN,
    SECKEY_LEN,
};
use crate::error::{Error, Result};
use crate::file::open;
use crate::file::parse_stream;
use crate::file::write_stream;
use crate::file::{parse, EncKey, PubKey, Sig};
use crate::utils::check_keyname_compliance;
use crate::utils::check_password_strength;
use crate::utils::log_untrusted_buf;
use crate::utils::read_password;
use base64ct::{Base64, Encoding as _};
use data_encoding::HEXLOWER;
use memchr::memchr;
use memchr::memmem;
use rand_core::{OsRng, TryRngCore as _};
use sha2::{Digest as _, Sha256, Sha512};
use std::fs::File;
use std::io::stdout;

use std::io::Cursor;
use std::io::{copy, stderr, stdin};
use std::io::{Read, Seek, SeekFrom, Write};
use std::path::{Path, PathBuf};
use std::str;
use zeroize::Zeroizing;

type EmbeddedSigResult = Result<(Sig, Vec<u8>, Box<dyn Read>)>;

/// Gzip header structure.
struct GzipHeader {
    /// Gzip flags.
    flg: u8,
    /// Header bytes (magic, compression method, flags, mtime, xfl, os).
    head: [u8; 10],
    /// Extra field data.
    extra_field: Vec<u8>,
    /// Original filename field.
    name_field: Vec<u8>,
    /// Comment field.
    comment_vec: Vec<u8>,
}

/// Builder for key generation operations.
///
/// # Examples
///
/// ```rust
/// use libsignify_rs::KeyGenerator;
/// use tempfile::tempdir;
///
/// # fn main() -> Result<(), Box<dyn std::error::Error>> {
/// let dir = tempdir()?;
/// let pub_path = dir.path().join("key.pub");
/// let sec_path = dir.path().join("key.sec");
///
/// // Generate with default settings (secure KDF rounds)
/// KeyGenerator::new()
///     .rounds(0) // No encryption for automated testing
///     .comment("test-key")
///     .generate(&pub_path, &sec_path)?;
///
/// assert!(pub_path.exists());
/// assert!(sec_path.exists());
/// # Ok(())
/// # }
/// ```
#[derive(Default)]
pub struct KeyGenerator {
    rounds: u32,
    comment: Option<String>,
    key_id: Option<i32>,
    tty_handle: Option<File>,
}

impl KeyGenerator {
    /// Create a new `KeyGenerator` with default settings.
    #[must_use]
    pub fn new() -> Self {
        Self {
            rounds: crypto::DEFAULT_ROUNDS,
            comment: None,
            key_id: None,
            tty_handle: None,
        }
    }

    /// Set TTY handle for interactive password prompts.
    #[must_use]
    pub fn tty_handle(mut self, tty: File) -> Self {
        self.tty_handle = Some(tty);
        self
    }

    /// Set KDF rounds (0 for no encryption).
    ///
    /// Default is 42.
    #[must_use]
    pub fn rounds(mut self, rounds: u32) -> Self {
        self.rounds = rounds;
        self
    }

    /// Set key comment.
    ///
    /// Default is "signify key".
    #[must_use]
    pub fn comment(mut self, comment: impl Into<String>) -> Self {
        self.comment = Some(comment.into());
        self
    }

    /// Set key ID for keyring integration.
    #[must_use]
    pub fn key_id(mut self, key_id: i32) -> Self {
        self.key_id = Some(key_id);
        self
    }

    /// Execute key generation writing to streams.
    ///
    /// # Errors
    /// Returns errors if I/O or KDF fails.
    pub fn generate_io<W1: Write, W2: Write>(
        self,
        mut pub_writer: W1,
        mut sec_writer: W2,
    ) -> Result<()> {
        let comment = self.comment.as_deref().unwrap_or("signify");

        let mut keynum = [0_u8; KEYNUMLEN];
        OsRng.try_fill_bytes(&mut keynum)?;

        let (public_key, secret_key) = generate_keypair()?;

        let (enc_key, pub_key_struct) = if self.rounds > 0 {
            let pass = prompt_password(true, self.key_id, self.tty_handle.as_ref())?;
            let mut salt = [0u8; SALT_LEN];
            OsRng.try_fill_bytes(&mut salt)?;

            let mut xorkey = Zeroizing::new(vec![0u8; SECKEY_LEN]);
            kdf(&pass, &salt, self.rounds, &mut xorkey)?;

            let mut seckey = Zeroizing::new([0u8; SECKEY_LEN]);
            for i in 0..SECKEY_LEN {
                seckey[i] = secret_key[i] ^ xorkey[i];
            }

            let checksum = derive_checksum(secret_key.as_ref());
            let enc_key = EncKey {
                pkalg: PKALG,
                kdfalg: KDFALG,
                kdfrounds: self.rounds,
                salt,
                checksum,
                keynum,
                seckey,
            };

            let pk = PubKey {
                pkalg: PKALG,
                keynum,
                pubkey: public_key,
            };

            (enc_key, pk)
        } else {
            let enc_key = EncKey {
                pkalg: PKALG,
                kdfalg: KDFALG,
                kdfrounds: 0,
                salt: [0u8; SALT_LEN],
                checksum: derive_checksum(secret_key.as_ref()),
                keynum,
                seckey: Zeroizing::new(*secret_key),
            };

            let pk = PubKey {
                pkalg: PKALG,
                keynum,
                pubkey: public_key,
            };
            (enc_key, pk)
        };

        // Write secret key.
        let comment_len = comment
            .len()
            .checked_add(" secret key".len())
            .ok_or(Error::Overflow)?;
        let mut seckey_comment = Vec::with_capacity(comment_len);
        seckey_comment.extend_from_slice(comment.as_bytes());
        seckey_comment.extend_from_slice(b" secret key");
        write_stream(&mut sec_writer, &seckey_comment, &enc_key.to_bytes())?;

        let mut pubkey_comment = Vec::with_capacity(comment_len);
        pubkey_comment.extend_from_slice(comment.as_bytes());
        pubkey_comment.extend_from_slice(b" public key");
        write_stream(&mut pub_writer, &pubkey_comment, &pub_key_struct.to_bytes())
    }

    /// Execute key generation.
    ///
    /// # Errors
    /// Returns errors if file I/O or KDF fails.
    pub fn generate(self, pubkey_path: &Path, seckey_path: &Path) -> Result<()> {
        let pub_file = open(pubkey_path, true)?;
        let sec_file = open(seckey_path, true)?;
        self.generate_io(pub_file, sec_file)
    }
}

/// Builder for signing operations.
///
/// # Examples
///
/// Basic signing:
///
/// ```rust
/// use libsignify_rs::{KeyGenerator, Signer};
/// use tempfile::tempdir;
/// use std::fs;
///
/// # fn main() -> Result<(), Box<dyn std::error::Error>> {
/// let dir = tempdir()?;
/// let pub_path = dir.path().join("key.pub");
/// let sec_path = dir.path().join("key.sec");
/// let msg_path = dir.path().join("msg.txt");
/// let sig_path = dir.path().join("msg.sig");
///
/// // Setup: Generate keys and message
/// KeyGenerator::new().rounds(0).generate(&pub_path, &sec_path)?;
/// fs::write(&msg_path, "test message")?;
///
/// // Sign
/// Signer::new()
///     .seckey(&sec_path)
///     .sign(&msg_path, &sig_path)?;
///
/// assert!(sig_path.exists());
/// # Ok(())
/// # }
/// ```
///
/// Embedded signature:
///
/// ```rust
/// # use libsignify_rs::{KeyGenerator, Signer};
/// # use tempfile::tempdir;
/// # use std::fs;
/// # fn main() -> Result<(), Box<dyn std::error::Error>> {
/// # let dir = tempdir()?;
/// # let pub_path = dir.path().join("key.pub");
/// # let sec_path = dir.path().join("key.sec");
/// # let msg_path = dir.path().join("msg.txt");
/// # let sig_path = dir.path().join("msg.sig");
/// # KeyGenerator::new().rounds(0).generate(&pub_path, &sec_path)?;
/// # fs::write(&msg_path, "test message")?;
/// Signer::new()
///     .seckey(&sec_path)
///     .embed(true)
///     .sign(&msg_path, &sig_path)?;
/// # Ok(())
/// # }
/// ```
///
/// Gzip signing:
///
/// ```rust
/// # use libsignify_rs::{KeyGenerator, Signer};
/// # use tempfile::tempdir;
/// # use std::fs;
/// # fn main() -> Result<(), Box<dyn std::error::Error>> {
/// # let dir = tempdir()?;
/// # let pub_path = dir.path().join("key.pub");
/// # let sec_path = dir.path().join("key.sec");
/// # let msg_path = dir.path().join("archive.gz"); // Input must be a file
/// # let sig_path = dir.path().join("archive.gz.sig"); // Output is signed gzip
/// # KeyGenerator::new().rounds(0).generate(&pub_path, &sec_path)?;
/// use flate2::write::GzEncoder;
/// use flate2::Compression;
/// use std::fs::File;
/// use std::io::Write;
///
/// // Create a valid gzip file to sign
/// let f = File::create(&msg_path)?;
/// let mut e = GzEncoder::new(f, Compression::default());
/// e.write_all(b"compressed content")?;
/// e.finish()?;
///
/// Signer::new()
///     .seckey(&sec_path)
///     .gzip(true)
///     .sign(&msg_path, &sig_path)?;
/// # Ok(())
/// # }
/// ```
pub struct Signer {
    seckey: Option<PathBuf>,
    embed: bool,
    gzip: bool,
    key_id: Option<i32>,
    tty_handle: Option<File>,
}

impl Default for Signer {
    fn default() -> Self {
        Self::new()
    }
}

impl Signer {
    /// Create a new `Signer`.
    #[must_use]
    pub fn new() -> Self {
        Self {
            seckey: None,
            embed: false,
            gzip: false,
            key_id: None,
            tty_handle: None,
        }
    }

    /// Set TTY handle for interactive password prompts.
    #[must_use]
    pub fn tty_handle(mut self, tty: File) -> Self {
        self.tty_handle = Some(tty);
        self
    }

    /// Set secret key path.
    #[must_use]
    pub fn seckey(mut self, path: impl Into<PathBuf>) -> Self {
        self.seckey = Some(path.into());
        self
    }

    /// Set embed mode (signify -e).
    ///
    /// If true, creates an embedded signature.
    #[must_use]
    pub fn embed(mut self, embed: bool) -> Self {
        self.embed = embed;
        self
    }

    /// Set gzip mode (signify -z).
    ///
    /// If true, signs a gzip archive.
    #[must_use]
    pub fn gzip(mut self, gzip: bool) -> Self {
        self.gzip = gzip;
        self
    }

    /// Set key ID (for keyring support).
    #[must_use]
    pub fn key_id(mut self, key_id: i32) -> Self {
        self.key_id = Some(key_id);
        self
    }

    /// Sign a file.
    ///
    /// # Errors
    /// Returns errors if I/O, decryption, or signing fails.
    pub fn sign(self, msg_path: &Path, sig_path: &Path) -> Result<()> {
        self.sign_io(msg_path, sig_path, None, None, None)
    }

    /// Sign a message using optional file handles.
    pub fn sign_io(
        &self,
        msg_path: &Path,
        sig_path: &Path,
        msg_file: Option<File>,
        sig_file: Option<File>,
        seckey_file: Option<File>,
    ) -> Result<()> {
        let seckey_path = self.seckey.as_deref().ok_or(Error::RequiredArg("-s"))?;

        let (enc_key, comment_bytes) = if let Some(f) = seckey_file {
            parse_stream(f, EncKey::from_bytes)?
        } else {
            parse::<EncKey, _>(seckey_path, EncKey::from_bytes)?
        };

        let xorkey = if enc_key.kdfrounds > 0 {
            let pass = Zeroizing::new(prompt_password(
                false,
                self.key_id,
                self.tty_handle.as_ref(),
            )?);
            let mut xorkey = Zeroizing::new(vec![0u8; SECKEY_LEN]);
            kdf(&pass, &enc_key.salt, enc_key.kdfrounds, &mut xorkey)?;
            Some(xorkey)
        } else {
            None
        };

        let mut seckey = Zeroizing::new([0u8; SECKEY_LEN]); // 64
        if let Some(x) = xorkey {
            for i in 0..SECKEY_LEN {
                seckey[i] = enc_key.seckey[i] ^ x[i];
            }
        } else {
            seckey.copy_from_slice(enc_key.seckey.as_ref());
        }

        // Verify checksum to ensure the password was correct.
        let checksum = derive_checksum(seckey.as_ref());
        if checksum != enc_key.checksum {
            return Err(Error::IncorrectPassphrase);
        }

        // Determine paths and streams.
        let is_stdout = sig_path.to_str() == Some("-");
        let is_stdin = msg_path.to_str() == Some("-");

        if self.gzip {
            if self.embed {
                return Err(Error::Io(std::io::Error::new(
                    std::io::ErrorKind::InvalidInput,
                    "cannot combine -e (embed) and -z (gzip)",
                )));
            }
            return sign_gzip(
                seckey.as_ref(),
                enc_key.keynum,
                seckey_path,
                msg_path,
                sig_path,
                &comment_bytes,
                msg_file,
                sig_file,
            );
        }

        // Pre-calculate signature comment (used in headers).
        let mut sig_comment = Vec::new();
        if seckey_path.to_str() == Some("-") {
            sig_comment.extend_from_slice(b"signature from ");
            sig_comment.extend_from_slice(&comment_bytes);
        } else {
            sig_comment.extend_from_slice(b"verify with ");
            sig_comment.extend_from_slice(
                seckey_path
                    .file_stem()
                    .unwrap_or(seckey_path.as_os_str())
                    .as_encoded_bytes(),
            );
            sig_comment.extend_from_slice(b".pub");
        };

        sign_standard(SignParams {
            seckey: &seckey,
            keynum: enc_key.keynum,
            msg_path,
            sig_path,
            embed: self.embed,
            is_stdout,
            is_stdin,
            sig_comment: &sig_comment,
            msg_file,
            sig_file,
        })
    }
}

/// Builder for verification operations.
///
/// # Examples
///
/// Basic verification:
///
/// ```rust
/// use libsignify_rs::{KeyGenerator, Signer, Verifier};
/// use tempfile::tempdir;
/// use std::fs;
///
/// # fn main() -> Result<(), Box<dyn std::error::Error>> {
/// let dir = tempdir()?;
/// let pub_path = dir.path().join("key.pub");
/// let sec_path = dir.path().join("key.sec");
/// let msg_path = dir.path().join("msg.txt");
/// let sig_path = dir.path().join("msg.sig");
///
/// // Setup
/// KeyGenerator::new().rounds(0).generate(&pub_path, &sec_path)?;
/// fs::write(&msg_path, "test message")?;
/// Signer::new().seckey(&sec_path).sign(&msg_path, &sig_path)?;
///
/// // Verify
/// Verifier::new()
///     .pubkey(&pub_path)
///     .quiet(true)
///     .verify(&msg_path, &sig_path)?;
/// # Ok(())
/// # }
/// ```
///
/// Embedded verification:
///
/// ```rust
/// # use libsignify_rs::{KeyGenerator, Signer, Verifier};
/// # use tempfile::tempdir;
/// # use std::fs;
/// # fn main() -> Result<(), Box<dyn std::error::Error>> {
/// # let dir = tempdir()?;
/// # let pub_path = dir.path().join("key.pub");
/// # let sec_path = dir.path().join("key.sec");
/// # let msg_path = dir.path().join("msg.txt");
/// # let sig_path = dir.path().join("msg.sig");
/// # KeyGenerator::new().rounds(0).generate(&pub_path, &sec_path)?;
/// # fs::write(&msg_path, "test message")?;
/// // Sign with embed
/// Signer::new()
///     .seckey(&sec_path)
///     .embed(true)
///     .sign(&msg_path, &sig_path)?;
///
/// // Remove original message to verify extraction
/// fs::remove_file(&msg_path)?;
///
/// // Verify embedded
/// Verifier::new()
///     .pubkey(&pub_path)
///     .quiet(true)
///     .embed(true)
///     .verify(&msg_path, &sig_path)?;
/// # Ok(())
/// # }
/// ```
///
/// Gzip verification:
///
/// ```rust
/// # use libsignify_rs::{KeyGenerator, Signer, Verifier};
/// # use tempfile::tempdir;
/// # use std::fs::File;
/// # use std::path::Path;
/// # use flate2::{write::GzEncoder, Compression};
/// # use std::io::Write;
/// # fn main() -> Result<(), Box<dyn std::error::Error>> {
/// # let dir = tempdir()?;
/// # let pub_path = dir.path().join("key.pub");
/// # let sec_path = dir.path().join("key.sec");
/// # let msg_path = dir.path().join("archive.gz");
/// # let sig_path = dir.path().join("archive.gz.sig");
/// # KeyGenerator::new().rounds(0).generate(&pub_path, &sec_path)?;
/// # let f = File::create(&msg_path)?;
/// # let mut e = GzEncoder::new(f, Compression::default());
/// # e.write_all(b"data")?;
/// # e.finish()?;
/// // Sign gzip
/// Signer::new()
///     .seckey(&sec_path)
///     .gzip(true)
///     .sign(&msg_path, &sig_path)?;
///
/// // Verify gzip
/// Verifier::new()
///     .pubkey(&pub_path)
///     .quiet(true)
///     .gzip(true)
///     .verify(&Path::new("-"), &sig_path)?; // Output to stdout (-) or file
/// # Ok(())
/// # }
/// ```
///
/// Handling verification failures:
///
/// ```rust
/// # use libsignify_rs::{KeyGenerator, Signer, Verifier};
/// # use tempfile::tempdir;
/// # use std::fs;
/// # fn main() -> Result<(), Box<dyn std::error::Error>> {
/// # let dir = tempdir()?;
/// # let pub_path = dir.path().join("key.pub");
/// # let sec_path = dir.path().join("key.sec");
/// # let msg_path = dir.path().join("msg.txt");
/// # let sig_path = dir.path().join("msg.sig");
/// # KeyGenerator::new().rounds(0).generate(&pub_path, &sec_path)?;
/// # fs::write(&msg_path, "original message")?;
/// # Signer::new().seckey(&sec_path).sign(&msg_path, &sig_path)?;
///
/// // Tamper with the message
/// fs::write(&msg_path, "tampered message")?;
///
/// // Verification should fail
/// let result = Verifier::new()
///     .pubkey(&pub_path)
///     .verify(&msg_path, &sig_path);
///
/// assert!(result.is_err());
/// # Ok(())
/// # }
/// ```
pub struct Verifier {
    pubkey: Option<PathBuf>,
    quiet: bool,
    embed: bool,
    gzip: bool,
}

impl Default for Verifier {
    fn default() -> Self {
        Self::new()
    }
}

impl Verifier {
    /// Create a new `Verifier`.
    #[must_use]
    pub fn new() -> Self {
        Self {
            pubkey: None,
            quiet: false,
            embed: false,
            gzip: false,
        }
    }

    /// Set public key path.
    #[must_use]
    pub fn pubkey(mut self, path: impl Into<PathBuf>) -> Self {
        self.pubkey = Some(path.into());
        self
    }

    /// Set quiet mode.
    ///
    /// If true, suppresses "Signature Verified" output.
    #[must_use]
    pub fn quiet(mut self, quiet: bool) -> Self {
        self.quiet = quiet;
        self
    }

    /// Set embed mode (signify -I).
    ///
    /// Used when verifying an embedded signature.
    #[must_use]
    pub fn embed(mut self, embed: bool) -> Self {
        self.embed = embed;
        self
    }

    /// Set gzip mode (signify -z).
    ///
    /// Used when verifying a signed gzip archive.
    #[must_use]
    pub fn gzip(mut self, gzip: bool) -> Self {
        self.gzip = gzip;
        self
    }

    /// Verify a signature.
    ///
    /// # Errors
    /// Returns errors if verification fails.
    pub fn verify(self, msg_path: &Path, sig_path: &Path) -> Result<()> {
        self.verify_io(msg_path, sig_path, None, None, None)
    }

    /// Verify with pre-opened resources.
    pub fn verify_io(
        self,
        msg_path: &Path,
        sig_path: &Path,
        mut msg_file: Option<File>,
        mut sig_file: Option<File>,
        pubkey_file: Option<File>,
    ) -> Result<()> {
        if self.gzip {
            return verify_gzip(
                self.pubkey.as_deref(),
                msg_path,
                sig_path,
                self.quiet,
                msg_file,
                sig_file,
                pubkey_file,
            );
        }

        // Standard embedded/detached verify:
        // Determine signature and input stream.
        let (sig, stream, output_path) = if self.embed {
            // Embed mode: msg_path is output (extracted msg).
            // Sig is input. extract signature from sig_path/sig_file.
            let (sig, prelude, rest_reader) = if let Some(f) = sig_file.take() {
                parse_embedded_signature_reader(Box::new(f))?
            } else {
                parse_embedded_signature(sig_path)?
            };
            let stream = Cursor::new(prelude).chain(rest_reader);

            let out_path = if self.embed { Some(msg_path) } else { None };
            (sig, Box::new(stream) as Box<dyn Read>, out_path)
        } else {
            // Detached
            let (sig, _comment) = if let Some(f) = sig_file.take() {
                let (sig, comment) = parse_stream(f, Sig::from_bytes)?;
                (sig, comment)
            } else {
                parse::<Sig, _>(sig_path, Sig::from_bytes)?
            };

            let file: Box<dyn Read> = if let Some(f) = msg_file.take() {
                Box::new(f)
            } else {
                Box::new(open(msg_path, false)?)
            };

            // Detached verification never extracts/writes.
            (sig, file, None)
        };

        let pubkey = if let Some(f) = pubkey_file {
            let (pk, _) = parse_stream(f, PubKey::from_bytes)?;
            pk
        } else if let Some(path) = &self.pubkey {
            let (pk, _) = parse::<PubKey, _>(path, PubKey::from_bytes)?;
            pk
        } else {
            return Err(Error::MissingPubKey);
        };

        if sig.keynum != pubkey.keynum {
            return Err(Error::KeyMismatch);
        }

        // Prepare output writer if needed.
        let mut writer: Option<Box<dyn Write>> = if let Some(f) = msg_file.take() {
            // msg_file provided. Used for output if embed?
            Some(Box::new(f))
        } else if let Some(path) = output_path {
            // Standard path open.
            if path.to_str() == Some("-") {
                Some(Box::new(stdout()))
            } else {
                Some(Box::new(open(path, true)?))
            }
        } else {
            None
        };

        // Verify stream.
        let writer_ref = writer.as_mut().map(|w| &mut **w as &mut dyn Write);
        crypto::verify_stream(stream, writer_ref, &pubkey.pubkey, &sig.sig)?;

        if !self.quiet {
            println!("Signature Verified");
        }

        Ok(())
    }
}

fn parse_embedded_signature_reader(mut reader: Box<dyn Read>) -> EmbeddedSigResult {
    // Read header bounded.
    const HEADER_LIMIT: usize = 4096;
    let mut buffer = vec![0_u8; HEADER_LIMIT];
    let mut valid_len = 0;

    // Read up to limit.
    while valid_len < HEADER_LIMIT {
        let n = reader.read(&mut buffer[valid_len..]).map_err(Error::Io)?;
        if n == 0 {
            break;
        }
        valid_len = valid_len.checked_add(n).ok_or(Error::Overflow)?;
    }
    buffer.truncate(valid_len);

    let n1 = memchr(b'\n', &buffer).ok_or(Error::InvalidCommentHeader)?;
    let n2_start = n1.checked_add(1).ok_or(Error::Overflow)?;
    let n2 = memchr(b'\n', &buffer[n2_start..]).ok_or(Error::MissingSignatureNewline)?;
    let b64_start = n2_start;
    let b64_end = b64_start.checked_add(n2).ok_or(Error::Overflow)?;

    if b64_end > buffer.len() {
        return Err(Error::InvalidCommentHeader);
    }

    let b64_bytes = &buffer[b64_start..b64_end];
    let b64_str = str::from_utf8(b64_bytes).map_err(|_e| Error::InvalidSignatureUtf8)?;
    let sig_bytes = Base64::decode_vec(b64_str.trim()).map_err(Error::Base64Decode)?;
    let sig = Sig::from_bytes(&sig_bytes)?;

    let msg_start = b64_end.checked_add(1).ok_or(Error::Overflow)?;

    // Construct prelude: (buffer[msg_start..]).
    let prelude = if msg_start < buffer.len() {
        buffer[msg_start..].to_vec()
    } else {
        Vec::new()
    };

    Ok((sig, prelude, reader))
}

/// Prompt for password.
fn prompt_password(
    confirm: bool,
    key_id: Option<i32>,
    tty: Option<&File>,
) -> Result<Zeroizing<Vec<u8>>> {
    let pass = loop {
        let pass = read_password("passphrase: ", key_id, tty)?;

        // Check password strength only during key generation (confirm=true).
        // During signing, the password decrypts an existing key so strength doesn't matter.
        if !confirm {
            return Ok(pass);
        }

        match check_password_strength(&pass) {
            Ok(()) if key_id.is_some() => return Ok(pass),
            Err(error) if key_id.is_some() => return Err(error),
            Err(error) => {
                let mut msg = "signify: ".to_string();
                msg.push_str(&error.to_string());
                msg.push('\n');
                stderr().write_all(msg.as_bytes()).map_err(Error::Io)?;
                stderr().flush().map_err(Error::Io)?;
                continue;
            }
            _ => break pass,
        }
    };

    for _ in 0..3 {
        stderr().flush().map_err(Error::Io)?;
        let pass2 = read_password("confirm passphrase: ", None, tty)?;
        if pass == pass2 {
            return Ok(pass);
        }
        let mut msg = "signify: ".to_string();
        msg.push_str(&Error::PasswordMismatch.to_string());
        msg.push('\n');
        stderr().write_all(msg.as_bytes()).map_err(Error::Io)?;
        stderr().flush().map_err(Error::Io)?;
    }

    Err(Error::PasswordMismatch)
}

/// Parameters for signing operations.
struct SignParams<'a> {
    /// Secret key bytes.
    seckey: &'a [u8; 64],
    /// Key ID.
    keynum: [u8; 8],
    /// Path to the message file.
    msg_path: &'a Path,
    /// Path to the signature file.
    sig_path: &'a Path,
    /// Whether to embed the signature.
    embed: bool,
    /// Whether output is stdout.
    is_stdout: bool,
    /// Whether input is stdin.
    is_stdin: bool,
    /// Signature comment to include.
    sig_comment: &'a [u8],
    /// Pre-opened message file.
    msg_file: Option<File>,
    /// Pre-opened signature file.
    sig_file: Option<File>,
}

fn sign_standard(params: SignParams) -> Result<()> {
    // Helper to create header bytes from signature bytes.
    let make_header = |sig_bytes: &[u8]| -> Result<Vec<u8>> {
        // Unwrap is safe because it's fixed length.
        #[expect(clippy::disallowed_methods)]
        let sig = Sig {
            pkalg: PKALG,
            keynum: params.keynum,
            sig: sig_bytes.try_into().unwrap(),
        };
        let encoded = Base64::encode_string(&sig.to_bytes());
        let mut h = Vec::new();
        h.extend_from_slice(COMMENTHDR.as_bytes());
        h.extend_from_slice(params.sig_comment);
        h.push(b'\n');
        h.extend_from_slice(encoded.as_bytes());
        h.push(b'\n');
        Ok(h)
    };

    let out_file = if let Some(f) = params.sig_file {
        Some(f)
    } else if params.is_stdout {
        None
    } else {
        Some(open(params.sig_path, true)?)
    };

    if params.embed {
        if let Some(mut file) = out_file {
            // File output: Seek and patch.
            // 1. Write dummy header.
            let dummy_sig = [0u8; 64];
            let header = make_header(&dummy_sig)?;
            file.write_all(&header).map_err(Error::Io)?;

            // 2. Stream input.
            let mut reader: Box<dyn Read> = if let Some(f) = params.msg_file {
                Box::new(f)
            } else if params.is_stdin {
                Box::new(stdin())
            } else {
                Box::new(open(params.msg_path, false)?)
            };

            let mut buf = Vec::new();
            reader.read_to_end(&mut buf).map_err(Error::Io)?;
            file.write_all(&buf).map_err(Error::Io)?;

            // 3. Patch.
            let real_sig = crypto::sign(&buf, params.seckey)?;
            let real_header = make_header(real_sig.as_ref())?;
            if real_header.len() != header.len() {
                return Err(Error::InvalidSignatureLength);
            }
            file.rewind().map_err(Error::Io)?;
            file.write_all(&real_header).map_err(Error::Io)?;
        } else {
            // Output is stdout.
            if params.is_stdin {
                let mut buf = Vec::new();
                stdin().read_to_end(&mut buf).map_err(Error::Io)?;

                let sig = crypto::sign(&buf, params.seckey)?;
                let header = make_header(sig.as_ref())?;

                let mut out = stdout();
                out.write_all(&header).map_err(Error::Io)?;
                out.write_all(&buf).map_err(Error::Io)?;
            } else {
                // File input: Two pass (read hash, read write).
                let mut file = if let Some(file) = params.msg_file {
                    file
                } else {
                    open(params.msg_path, false)?
                };

                // Ensure start
                // If it's a file, seek to start.
                let _ = file.rewind();

                let sig = crypto::sign_stream(&mut file, params.seckey)?;
                let header = make_header(&sig)?;
                let mut out = stdout();
                out.write_all(&header).map_err(Error::Io)?;

                // Rewind.
                file.rewind().map_err(Error::Io)?;
                copy(&mut file, &mut out).map_err(Error::Io)?;
            }
        }
    } else {
        // Detached (-S)
        let mut reader: Box<dyn Read> = if let Some(f) = params.msg_file {
            Box::new(f)
        } else if params.is_stdin {
            Box::new(stdin())
        } else {
            Box::new(open(params.msg_path, false)?)
        };
        let sig = crypto::sign_stream(&mut reader, params.seckey)?;
        let header = make_header(&sig)?;

        if let Some(mut f) = out_file {
            f.write_all(&header).map_err(Error::Io)?;
        } else {
            stdout().write_all(&header).map_err(Error::Io)?;
        }
    }

    Ok(())
}

/// Parse embedded signature, returning sig, prelude bytes, and rest reader.
///
/// # Errors
/// Returns errors from file I/O or parsing.
fn parse_embedded_signature(path: &Path) -> EmbeddedSigResult {
    let reader: Box<dyn Read> = if path.to_str() == Some("-") {
        Box::new(stdin())
    } else {
        Box::new(open(path, false)?)
    };
    parse_embedded_signature_reader(reader)
}

/// Check a list of checksums.
///
/// # Errors
///
/// Returns `Error::Io` on file I/O errors.
/// Returns `Error::KeyMismatch` if keynum mismatch.
/// Returns `Error::VerifyFailed` if signature verification fails.
/// Returns `Error::CheckFailed` if one or more checksums fail verification.
pub fn check_checksums(
    pubkey_path: Option<&Path>,
    sig_path: &Path,
    mut sig_file: Option<File>,
    quiet: bool,
) -> Result<()> {
    let (sig, mut prelude, mut reader) = if let Some(f) = sig_file.take() {
        parse_embedded_signature_reader(Box::new(f))?
    } else {
        parse_embedded_signature(sig_path)?
    };
    reader.read_to_end(&mut prelude).map_err(Error::Io)?;
    let msg = prelude;

    // Public key is required.
    let path = pubkey_path.ok_or(Error::MissingPubKey)?;
    let (pubkey, _) = parse::<PubKey, _>(path, PubKey::from_bytes)?;

    if sig.keynum != pubkey.keynum {
        return Err(Error::KeyMismatch);
    }

    crypto::verify(&msg, &pubkey.pubkey, &sig.sig)?;

    let mut failed = false;
    for (line_num, line) in msg.split(|&b| matches!(b, b'\n' | b'\r')).enumerate() {
        let line = line.trim_ascii();
        if line.is_empty() {
            continue;
        }

        if let Err(error) = verify_checksum_line(line, quiet) {
            eprintln!("signify: line {}: {error}", line_num.saturating_add(1));
            failed = true;
        }
    }

    if failed {
        Err(Error::CheckFailed)
    } else {
        Ok(())
    }
}

/// Verify a single line from a checksum file.
///
/// Supports BSD format (`ALGO (FILENAME) = HASH`), and
/// GNU coreutils format (`HASH  FILENAME` or `HASH *FILENAME`).
///
/// # Errors
///
/// Returns `Error::ChecksumParseFailed` if the line cannot be parsed.
/// Returns `Error::ChecksumMismatch` if the hash does not match.
/// Returns `Error::UnsupportedHashAlgo` for unknown algorithms.
/// Returns I/O errors if the file cannot be read.
pub fn verify_checksum_line(line: &[u8], quiet: bool) -> Result<()> {
    let (algo, hash, path) = parse_checksum_line(line)
        .ok_or_else(|| Error::ChecksumParseFailed(log_untrusted_buf(line)))?;
    verify_file_with_hash(algo, hash, &path, quiet)
}

/// Parse a checksum line in any supported format.
///
/// Returns (algo, hash, filename) on success.
fn parse_checksum_line(line: &[u8]) -> Option<(&[u8], &[u8], &str)> {
    try_parse_bsd_format(line).or_else(|| try_parse_gnu_format(line))
}

/// Try to parse BSD format: `ALGO (FILENAME) = HASH`
fn try_parse_bsd_format(line: &[u8]) -> Option<(&[u8], &[u8], &str)> {
    let marker = b" = ";
    let idx = memmem::find(line, marker)?;

    let left = &line[..idx];
    let right_start = idx.checked_add(marker.len())?;
    let right = &line[right_start..];
    let hash = right.trim_ascii();

    // Parse left: "ALGO (FILENAME)" -> Find first space
    let space_idx = memchr(b' ', left)?;
    let algo = &left[..space_idx];
    let rest_start = space_idx.checked_add(1)?;
    let rest = &left[rest_start..];

    // Rest should be "(FILENAME)"
    if rest.len() < 2 || rest.first() != Some(&b'(') || rest.last() != Some(&b')') {
        return None;
    }

    let filename = &rest[1..rest.len().checked_sub(1)?];
    let filename = std::str::from_utf8(filename).ok()?;
    if !filename.is_empty() {
        Some((algo, hash, filename))
    } else {
        None
    }
}

/// Try to parse GNU coreutils format: `HASH  FILENAME` or `HASH *FILENAME`.
///
/// Returns (algo, hash, filename) on success, None if format doesn't match.
fn try_parse_gnu_format(line: &[u8]) -> Option<(&[u8], &[u8], &str)> {
    // Find separator: Two spaces or space+asterisk.
    let (sep_idx, sep_len) = if let Some(idx) = memmem::find(line, b"  ") {
        (idx, 2)
    } else if let Some(idx) = memmem::find(line, b" *") {
        (idx, 2)
    } else {
        return None;
    };

    let hash = &line[..sep_idx];
    let path = &line[sep_idx.checked_add(sep_len)?..];
    let path = std::str::from_utf8(path).ok()?;

    // Validate hash is hex and has valid length:
    // 64 for SHA256, 128 for SHA512.
    let algo: &[u8] = match hash.len() {
        64 => b"SHA256",
        128 => b"SHA512",
        _ => return None,
    };
    if !hash.iter().all(|&b| b.is_ascii_hexdigit()) {
        return None;
    }

    Some((algo, hash, path))
}

/// Verify a file's hash against expected value.
///
/// Used by both BSD and GNU format parsing.
fn verify_file_with_hash(algo: &[u8], hash: &[u8], path: &str, quiet: bool) -> Result<()> {
    let name = log_untrusted_buf(path.as_bytes());
    let path = Path::new(path);

    let mut file = open(path, false).inspect_err(|error| {
        if !quiet {
            println!("{name}: FAIL: {error}");
        }
    })?;

    const BUF_SIZE: usize = 64 * 1024;
    let mut buf = [0_u8; BUF_SIZE];

    // Macro to compute hash for a given hasher.
    macro_rules! compute_hash {
        ($hasher:expr) => {{
            let mut hasher = $hasher;
            loop {
                match file.read(&mut buf) {
                    Ok(0) => break,
                    Ok(n) => hasher.update(&buf[..n]),
                    Err(ref e) if e.kind() == std::io::ErrorKind::Interrupted => continue,
                    Err(error) => {
                        let error = Error::Io(error);
                        if !quiet {
                            println!("{name}: FAIL: {error}");
                        }
                        return Err(error);
                    }
                }
            }
            HEXLOWER.encode(&hasher.finalize())
        }};
    }

    let calculated_hash = match algo {
        b"SHA256" => compute_hash!(Sha256::new()),
        b"SHA512" => compute_hash!(Sha512::new()),
        _ => {
            let algo = String::from_utf8_lossy(algo).to_string();
            let error = Error::UnsupportedHashAlgo(algo);
            if !quiet {
                println!("{name}: FAIL: {error}");
            }
            return Err(error);
        }
    };

    if calculated_hash.as_bytes().eq_ignore_ascii_case(hash) {
        if !quiet {
            println!("{name}: OK");
        }
        Ok(())
    } else {
        let error = Error::ChecksumMismatch(name);
        if !quiet {
            println!("{error}");
        }
        Err(error)
    }
}

/// Helper to read gzip header.
fn read_gzip_header(sig_file: &mut dyn Read) -> Result<GzipHeader> {
    let mut head = [0u8; 10];
    sig_file.read_exact(&mut head).map_err(Error::Io)?;

    if head[0] != 0x1f || head[1] != 0x8b {
        return Err(Error::Io(std::io::Error::new(
            std::io::ErrorKind::InvalidData,
            "Not a gzip file",
        )));
    }
    let flg = head[3];
    if (flg & 16) == 0 {
        return Err(Error::Io(std::io::Error::new(
            std::io::ErrorKind::InvalidData,
            "Unsigned gzip archive (no comment)",
        )));
    }

    // Skip extra, name if present.
    let mut extra_field = Vec::new();
    if (flg & 4) != 0 {
        let mut xlen_b = [0u8; 2];
        sig_file.read_exact(&mut xlen_b).map_err(Error::Io)?;
        extra_field.extend_from_slice(&xlen_b);
        let xlen = u64::from(u16::from_le_bytes(xlen_b));
        let mut reader = sig_file.take(xlen);
        reader.read_to_end(&mut extra_field).map_err(Error::Io)?;
    }

    let mut name_field = Vec::new();
    if (flg & 8) != 0 {
        let mut buf = [0u8; 1];
        loop {
            sig_file.read_exact(&mut buf).map_err(Error::Io)?;
            name_field.push(buf[0]);
            if buf[0] == 0 {
                break;
            }
        }
    }

    // Read comment.
    let mut comment_vec = Vec::new();
    let mut buf = [0u8; 1];
    loop {
        sig_file.read_exact(&mut buf).map_err(Error::Io)?;
        if buf[0] == 0 {
            break;
        }
        comment_vec.push(buf[0]);
    }

    Ok(GzipHeader {
        flg,
        head,
        extra_field,
        name_field,
        comment_vec,
    })
}

/// Sign a gzip file.
pub fn sign_gzip(
    seckey: &[u8],
    keynum: [u8; 8],
    seckey_path: &Path,
    msg_path: &Path,
    sig_path: &Path,
    comment_bytes: &[u8],
    msg_file: Option<std::fs::File>,
    sig_file: Option<std::fs::File>,
) -> Result<()> {
    let is_stdout = sig_path.as_os_str() == "-";
    let is_stdin = msg_path.as_os_str() == "-";

    if is_stdin && msg_file.is_none() {
        return Err(Error::Io(std::io::Error::new(
            std::io::ErrorKind::InvalidInput,
            "Gzip signing requires a regular file input (not stdin)",
        )));
    }

    let mut f = if let Some(f) = msg_file {
        f
    } else {
        open(msg_path, false)?
    };

    let (head, data_start) = parse_gzip_for_signing(&mut f)?;

    // Pass 1: Hash.
    let (header_msg, _) = hash_gzip_content(&mut f, data_start, seckey_path)?;

    // Sign.
    let kp = ed25519_compact::KeyPair {
        pk: ed25519_compact::PublicKey::from_slice(&seckey[32..]).map_err(Error::Crypto)?,
        sk: ed25519_compact::SecretKey::from_slice(seckey).map_err(Error::Crypto)?,
    };
    let sig = kp.sk.sign(&header_msg, None);

    let sig_comment = make_sig_comment(seckey_path, comment_bytes)?;

    let sig_header = {
        let sig = Sig {
            pkalg: PKALG,
            keynum,
            sig: sig
                .as_ref()
                .try_into()
                .map_err(|_| Error::InvalidSignatureLength)?, // Safe: Fixed length
        };
        let encoded = Base64::encode_string(&sig.to_bytes());
        let mut h = Vec::new();
        h.extend_from_slice(COMMENTHDR.as_bytes());
        h.extend_from_slice(&sig_comment);
        h.push(b'\n');
        h.extend_from_slice(encoded.as_bytes());
        h.push(b'\n');
        h
    };

    let mut out: Box<dyn Write> = if let Some(f) = sig_file {
        Box::new(f)
    } else if is_stdout {
        Box::new(stdout())
    } else {
        Box::new(open(sig_path, true)?)
    };

    write_signed_gzip(
        &mut out,
        &head,
        &sig_header,
        &header_msg,
        &mut f,
        data_start,
    )
}

fn parse_gzip_for_signing(f: &mut std::fs::File) -> Result<([u8; 10], u64)> {
    let mut head = [0u8; 10];
    f.read_exact(&mut head).map_err(Error::Io)?;

    if head[0] != 0x1f || head[1] != 0x8b {
        return Err(Error::Io(std::io::Error::new(
            std::io::ErrorKind::InvalidData,
            "Not a gzip file",
        )));
    }

    let flg = head[3];
    if (flg & 4) != 0 {
        let mut xlen_b = [0u8; 2];
        f.read_exact(&mut xlen_b).map_err(Error::Io)?;
        let xlen = i64::from(u16::from_le_bytes(xlen_b));
        f.seek(SeekFrom::Current(xlen)).map_err(Error::Io)?;
    }

    if (flg & 8) != 0 {
        let mut buf = [0u8; 1];
        loop {
            f.read_exact(&mut buf).map_err(Error::Io)?;
            if buf[0] == 0 {
                break;
            }
        }
    }

    if (flg & 16) != 0 {
        let mut buf = [0u8; 1];
        loop {
            f.read_exact(&mut buf).map_err(Error::Io)?;
            if buf[0] == 0 {
                break;
            }
        }
    }

    if (flg & 2) != 0 {
        f.seek(SeekFrom::Current(2)).map_err(Error::Io)?;
    }

    let data_start = f.stream_position().map_err(Error::Io)?;
    Ok((head, data_start))
}

fn hash_gzip_content(
    f: &mut std::fs::File,
    data_start: u64,
    seckey_path: &Path,
) -> Result<(Vec<u8>, usize)> {
    const BLK_SIZE: usize = 0x0001_0000;
    let mut block = vec![0u8; BLK_SIZE];

    // Scan passes.
    loop {
        match f.read(&mut block) {
            Ok(0) => break,
            Ok(_) => continue,
            Err(ref e) if e.kind() == std::io::ErrorKind::Interrupted => continue,
            Err(e) => return Err(Error::Io(e)),
        }
    }

    let mut header_msg = Vec::new();
    let time_now = "0000-00-00T00:00:00Z";
    let keyname = if seckey_path.as_os_str() == "-" {
        "stdin"
    } else {
        seckey_path.to_str().ok_or(Error::InvalidPath)?
    };
    write!(
        &mut header_msg,
        "date={time_now}\nkey={keyname}\nalgorithm=SHA256\nblocksize={BLK_SIZE}\n\n",
    )
    .map_err(Error::Io)?;

    f.seek(SeekFrom::Start(data_start)).map_err(Error::Io)?;
    loop {
        match f.read(&mut block) {
            Ok(0) => break,
            Ok(n) => {
                let hash = Sha256::digest(&block[..n]);
                let hex = HEXLOWER.encode(&hash);
                header_msg.extend_from_slice(hex.as_bytes());
                header_msg.push(b'\n');
            }
            Err(ref e) if e.kind() == std::io::ErrorKind::Interrupted => continue,
            Err(e) => return Err(Error::Io(e)),
        }
    }

    Ok((header_msg, BLK_SIZE))
}

fn write_signed_gzip(
    out: &mut dyn Write,
    head: &[u8; 10],
    sig_header: &[u8],
    header_msg: &[u8],
    input: &mut std::fs::File,
    data_start: u64,
) -> Result<()> {
    let fake_header = [0x1f, 0x8b, 8, 16, 0, 0, 0, 0, head[8], 3];
    out.write_all(&fake_header).map_err(Error::Io)?;
    out.write_all(sig_header).map_err(Error::Io)?;
    out.write_all(header_msg).map_err(Error::Io)?;
    out.write_all(&[0u8]).map_err(Error::Io)?;

    input.seek(SeekFrom::Start(data_start)).map_err(Error::Io)?;
    copy(input, out).map_err(Error::Io)?;
    Ok(())
}

/// Verify a gzip signature.
pub fn verify_gzip(
    pubkey: Option<&Path>,
    msg_path: &Path,
    sig_path: &Path,
    quiet: bool,
    msg_file: Option<File>,
    sig_file: Option<File>,
    pubkey_file: Option<File>,
) -> Result<()> {
    let mut sig_file: Box<dyn Read> = if let Some(f) = sig_file {
        Box::new(f)
    } else if sig_path.as_os_str() == "-" {
        Box::new(stdin())
    } else {
        Box::new(open(sig_path, false)?)
    };

    let header = read_gzip_header(sig_file.as_mut())?;

    // Parse signature from comment.
    let (sig, header_list) = parse_sig_from_comment(&header.comment_vec)?;

    // Verify signature of header list.
    let pubkey = if let Some(f) = pubkey_file {
        let (pk, _) = parse_stream(f, PubKey::from_bytes)?;
        pk
    } else if let Some(path) = pubkey {
        let (pk, _) = parse::<PubKey, _>(path, PubKey::from_bytes)?;
        pk
    } else {
        return Err(Error::MissingPubKey);
    };

    if sig.keynum != pubkey.keynum {
        return Err(Error::KeyMismatch);
    }
    crypto::verify(header_list, &pubkey.pubkey, &sig.sig)?;

    // Parse header lines.
    let header_str = str::from_utf8(header_list).map_err(|_| Error::InvalidCommentHeader)?;
    let mut lines = header_str.lines();
    let blocksize = parse_header_metadata(&mut lines)?;

    // Output setup.
    let mut out_writer: Option<Box<dyn Write>> = if let Some(f) = msg_file {
        Some(Box::new(f))
    } else if msg_path.as_os_str() == "-" {
        Some(Box::new(stdout()))
    } else {
        Some(Box::new(open(msg_path, true)?))
    };

    // Write header.
    if let Some(w) = out_writer.as_mut() {
        w.write_all(&header.head).map_err(Error::Io)?;
        if !header.extra_field.is_empty() {
            w.write_all(&header.extra_field).map_err(Error::Io)?;
        }
        if !header.name_field.is_empty() {
            w.write_all(&header.name_field).map_err(Error::Io)?;
        }
        w.write_all(&header.comment_vec).map_err(Error::Io)?;
        w.write_all(&[0u8]).map_err(Error::Io)?;
    }

    if (header.flg & 2) != 0 {
        let mut crc = [0u8; 2];
        sig_file.read_exact(&mut crc).map_err(Error::Io)?;
        if let Some(w) = out_writer.as_mut() {
            w.write_all(&crc).map_err(Error::Io)?;
        }
    }

    verify_payload_blocks(sig_file.as_mut(), lines, blocksize, out_writer.as_mut())?;

    if !quiet {
        eprintln!("Signature Verified");
    }
    Ok(())
}

fn parse_sig_from_comment(comment_vec: &[u8]) -> Result<(Sig, &[u8])> {
    let n1 = memchr(b'\n', comment_vec).ok_or(Error::InvalidCommentHeader)?;
    let n2_start = n1.checked_add(1).ok_or(Error::Overflow)?;
    let n2 = memchr(b'\n', &comment_vec[n2_start..]).ok_or(Error::MissingSignatureNewline)?;
    let sig_end = n2_start.checked_add(n2).ok_or(Error::Overflow)?;

    let header_list = &comment_vec[sig_end.checked_add(1).ok_or(Error::Overflow)?..];

    let b64_bytes = &comment_vec[n2_start..sig_end];
    let b64_str = str::from_utf8(b64_bytes).map_err(|_e| Error::InvalidSignatureUtf8)?;
    let sig_bytes = Base64::decode_vec(b64_str.trim()).map_err(Error::Base64Decode)?;
    let sig = Sig::from_bytes(&sig_bytes)?;

    Ok((sig, header_list))
}

fn parse_header_metadata(lines: &mut std::str::Lines) -> Result<usize> {
    let mut algo = "SHA256";
    let mut blocksize = 0x0001_0000;

    for l in lines.by_ref() {
        if l.is_empty() {
            break;
        }
        if let Some(val) = l.strip_prefix("algorithm=") {
            algo = val;
        } else if let Some(val) = l.strip_prefix("blocksize=") {
            blocksize = val.parse().unwrap_or(0x0001_0000);
        }
    }

    if algo != "SHA256" && algo != "SHA512/256" {
        return Err(Error::Io(std::io::Error::new(
            std::io::ErrorKind::InvalidData,
            format!("Unsupported algorithm: {algo}"),
        )));
    }
    Ok(blocksize)
}

fn verify_payload_blocks(
    sig_file: &mut dyn Read,
    lines: std::str::Lines,
    blocksize: usize,
    mut out_writer: Option<&mut Box<dyn Write>>,
) -> Result<()> {
    let mut buf = vec![0u8; blocksize];
    for hash_line in lines {
        let n = loop {
            match sig_file.read(&mut buf) {
                Ok(n) => break n,
                Err(ref e) if e.kind() == std::io::ErrorKind::Interrupted => continue,
                Err(e) => return Err(Error::Io(e)),
            }
        };

        if n == 0 {
            return Err(Error::Io(std::io::Error::new(
                std::io::ErrorKind::UnexpectedEof,
                "Premature end of archive",
            )));
        }
        let hash = Sha256::digest(&buf[..n]);
        let hash_hex = HEXLOWER.encode(&hash);

        if hash_hex != hash_line {
            return Err(Error::VerifyFailed);
        }
        if let Some(w) = out_writer.as_mut() {
            w.write_all(&buf[..n]).map_err(Error::Io)?;
        }
    }

    // Ensure EOF.
    let n = loop {
        match sig_file.read(&mut buf) {
            Ok(n) => break n,
            Err(ref e) if e.kind() == std::io::ErrorKind::Interrupted => continue,
            Err(e) => return Err(Error::Io(e)),
        }
    };
    if n != 0 {
        return Err(Error::Io(std::io::Error::new(
            std::io::ErrorKind::InvalidData,
            "Trailing data in archive",
        )));
    }
    Ok(())
}

fn make_sig_comment(seckey_path: &Path, comment_bytes: &[u8]) -> Result<Vec<u8>> {
    let mut sig_comment = Vec::new();
    if seckey_path.as_os_str() == "-" {
        sig_comment.extend_from_slice(b"signature from ");
        sig_comment.extend_from_slice(comment_bytes);
    } else {
        let basename = check_keyname_compliance(None, seckey_path)?;
        sig_comment.extend_from_slice(b"verify with ");
        sig_comment.extend_from_slice(basename.as_bytes());
        sig_comment.extend_from_slice(b".pub");
    };
    Ok(sig_comment)
}

#[cfg(test)]
mod tests {
    use super::*;
    use std::path::PathBuf;

    #[test]
    fn test_signer_default() {
        let signer = Signer::default();
        assert_eq!(signer.seckey, None);
        assert!(!signer.embed);
        assert!(!signer.gzip);
        assert_eq!(signer.key_id, None);
    }

    #[test]
    fn test_signer_builder() {
        let path = PathBuf::from("test.sec");
        let signer = Signer::new()
            .seckey(path.clone())
            .embed(true)
            .gzip(true)
            .key_id(42);

        assert_eq!(signer.seckey, Some(path));
        assert!(signer.embed);
        assert!(signer.gzip);
        assert_eq!(signer.key_id, Some(42));
    }

    #[test]
    fn test_verifier_default() {
        let verifier = Verifier::default();
        assert_eq!(verifier.pubkey, None);
        assert!(!verifier.quiet);
        assert!(!verifier.embed);
        assert!(!verifier.gzip);
    }

    #[test]
    fn test_verifier_builder() {
        let path = PathBuf::from("test.pub");
        let verifier = Verifier::new()
            .pubkey(path.clone())
            .quiet(true)
            .embed(true)
            .gzip(true);

        assert_eq!(verifier.pubkey, Some(path));
        assert!(verifier.quiet);
        assert!(verifier.embed);
        assert!(verifier.gzip);
    }
}