libsignify-rs 0.4.0

OpenBSD-compatible file signing & verification library
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

# libsignify-rs - OpenBSD-compatible file signing & verification library

[![crates.io](https://img.shields.io/crates/v/libsignify-rs.svg?style=flat-square)](https://crates.io/crates/libsignify-rs)
[![docs.rs docs](https://img.shields.io/badge/docs-latest-blue.svg?style=flat-square)](https://docs.rs/crate/libsignify-rs/latest)
[![license: ISC](https://img.shields.io/badge/license-ISC-97CA00)](https://opensource.org/licenses/isc-license.txt)
[![build status](https://builds.sr.ht/~alip/signify.svg)](https://builds.sr.ht/~alip/signify?)

A Rust library for cryptographically signing and verifying files using
the Ed25519-based format defined by OpenBSD's
[`signify`](https://man.openbsd.org/signify) utility.

## Usage

This crate exports a Builder-based API for ergonomic use in Rust
applications.

```rust
use std::fs;
use std::path::Path;

use libsignify_rs::{KeyGenerator, Signer, Verifier};

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let key_pub = Path::new("key.pub");
    let key_sec = Path::new("key.sec");
    let msg_file = Path::new("message.txt");
    let sig_file = Path::new("message.txt.sig");

    // Generate a new key pair.
    KeyGenerator::new()
        .comment("Heavy is the root of light. Still is the master of moving.")
        .generate(key_pub, key_sec)?;

    // Create a file to sign.
    fs::write(msg_file, "Change return success. Going and coming without error. Action brings good fortune.")?;

    // Sign the file
    Signer::new()
        .seckey(key_sec)
        .sign(msg_file, sig_file)?;

    // Verify the signature.
    Verifier::new()
        .pubkey(key_pub)
        .verify(msg_file, sig_file)?;

    Ok(())
}
```

### Usage with keyrings(7)

The `Signify` struct provides a high-level configuration interface. On
Linux/Android, it supports kernel
[keyrings(7)](https://www.man7.org/linux/man-pages/man7/keyrings.7.html)
integration for secure passphrase management.

```rust
use std::path::PathBuf;
use libsignify_rs::signify::{Mode, Signify};

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let key_pub = PathBuf::from("key.pub");
    let key_sec = PathBuf::from("key.sec");
    let msg_file = PathBuf::from("msg.txt");

    // 1. Generate Key Pair.
    let mut signify = Signify::default();
    signify.mode = Some(Mode::Generate);
    signify.pubkey = Some(key_pub.clone());
    signify.seckey = Some(key_sec.clone());
    signify.comment = Some("keyring-example".to_string());

    // On Linux/Android, setting key_id enables keyring integration.
    // The passphrase will be read from or stored in the kernel session keyring.
    signify.key_id = Some(1337);

    signify.execute()?;

    // 2. Sign a file.
    signify.mode = Some(Mode::Sign);
    signify.msg_file = Some(msg_file.clone());

    // Signature file path is automatically derived (msg.sig) if not set.
    signify.execute()?;

    // 3. Verify.
    signify.mode = Some(Mode::Verify);
    signify.quiet = true;
    signify.execute()?;

    Ok(())
}
```

## Features

- **Strict Compatibility**: Adheres strictly to the OpenBSD file format
  and verification logic.
- **Pure Rust**: No unsafe code, no arithmetic side effects.
- **Keyring Support**: On Linux/Android, integrates with kernel
  [keyrings(7)](https://www.man7.org/linux/man-pages/man7/keyrings.7.html)
  for secure passphrase management.

### ChangeLog

See [ChangeLog.md](https://git.sr.ht/~alip/signify/tree/main/item/ChangeLog.md)

### License

ISC. See [COPYING](https://git.sr.ht/~alip/signify/tree/main/item/lib/COPYING).