signify-rs 0.3.0

OpenBSD-compatible file signing & verification tool
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

## signify - OpenBSD-compatible file signing & verification tool

[![crates.io](https://img.shields.io/crates/v/signify-rs.svg?style=flat-square)](https://crates.io/crates/signify-rs)
[![docs.rs docs](https://img.shields.io/badge/docs-latest-blue.svg?style=flat-square)](https://docs.rs/crate/signify-rs/latest)
[![msrv](https://img.shields.io/badge/rustc-1.85%2B-green?style=plastic)](https://blog.rust-lang.org/2025/02/20/Rust-1.85.0/)
[![license: ISC](https://img.shields.io/badge/license-ISC-97CA00)](https://opensource.org/licenses/isc-license.txt)
[![build status](https://builds.sr.ht/~alip/signify.svg)](https://builds.sr.ht/~alip/signify?)

The signify utility creates and verifies cryptographic signatures. A
signature verifies the integrity of a _message_. This utility is a Rust
rewrite of [OpenBSD's reference
implementation](https://man.openbsd.org/signify), and provides a library
and a CLI tool for signing and verifying files. It's released under the
same license and focuses on security, simplicity, and strict adherence
to the OpenBSD implementation's formats and logic, while leveraging
Rust's safety guarantees. Codebase is well-tested and it's free of
unsafe code and arithmetic side effects. Main code runs sandboxed using
[capsicum(4)](https://man.freebsd.org/cgi/man.cgi?capsicum(4)) on
FreeBSD,
[pledge(2)](https://man.openbsd.org/pledge.2)/[unveil(2)](https://man.openbsd.org/unveil)
on OpenBSD, and
[landlock(7)](https://www.man7.org/linux/man-pages/man7/landlock.7.html)
on Linux.

Usage is identical to the reference implementation, so the user is
recommended to read signify's [OpenBSD manual
page](https://man.openbsd.org/signify). Another recommended read is the
article [Securing OpenBSD From Us To
You](https://www.openbsd.org/papers/bsdcan-signify.html).

The crate is fairly portable, builds on FreeBSD, NetBSD, OpenBSD, Linux,
Windows, and WASM. Tests run on all these operating systems on each git
push using [Sourcehut Builds](https://builds.sr.ht/~alip/signify). CI
builds create static-linked signify binaries as artifacts which may be
preferred by users who don't have the option to build signify from
source.

### Use with keyrings(7)

This crate comes with a single extension to the reference
implementation: When the crate is built on Linux or Android,
[keyrings(7)](https://www.man7.org/linux/man-pages/man7/keyrings.7.html)
support is compiled in. This adds the CLI option `-k key-id` to the
signify subcommands `-G`(enerate), and `-S`(ign) which allows the user
to specify their passphrase using a 32-bit key ID rather than inputting
it manually with a password prompt.

### Programmatic Use

1. Use `signify` binary in scripts.
   Output and exit codes are stable, compatible with OpenBSD.
2. Use [`libsignify-rs`](https://crates.io/crates/libsignify-rs) library
   as a dependency for your Rust code.

### ChangeLog

See [ChangeLog.md](https://git.sr.ht/~alip/signify/tree/main/item/ChangeLog.md)

### License

ISC. See [COPYING](https://git.sr.ht/~alip/signify/tree/main/item/COPYING).