signify - OpenBSD-compatible file signing & verification tool
The signify utility creates and verifies cryptographic signatures. A signature verifies the integrity of a message. This utility is a Rust rewrite of OpenBSD's reference implementation, and provides a library and a CLI tool for signing and verifying files. It's released under the same license and focuses on security, simplicity, and strict adherence to the OpenBSD implementation's formats and logic, while leveraging Rust's safety guarantees. Codebase is well-tested and it's free of unsafe code and arithmetic side effects. There's no use of proc macros in the crate or any of its dependencies, making the crate static linking friendly.
Usage is identical to the reference implementation, so the user is recommended to read signify's OpenBSD manual page. Another recommended read is the article Securing OpenBSD From Us To You.
The crate is fairly portable, builds on FreeBSD, NetBSD, Linux, and Windows. Tests run on all these operating systems on each git push using Sourcehut Builds. CI builds create static-linked signify binaries as artifacts which may be preferred by users who don't have the option to build signify from source.
Use with keyrings(7)
This crate comes with a single extension to the reference
implementation: When the crate is built with the feature keyring on
Linux, using e.g. cargo build --features keyring,
keyrings(7)
support is compiled in. This adds the CLI option -k key-id to the
signify subcommands -G(enerate), and -S(ign) which allows the user
to specify their passphrase using a 32-bit key ID rather than inputting
it manually with a password prompt.
License
ISC. See COPYING.