signify - OpenBSD-compatible file signing & verification tool
The signify utility creates and verifies cryptographic signatures. A signature verifies the integrity of a message. This utility is a Rust rewrite of OpenBSD's reference implementation, and provides a library and a CLI tool for signing and verifying files. It's released under the same license and focuses on security, simplicity, and strict adherence to the OpenBSD implementation's formats and logic, while leveraging Rust's safety guarantees. Codebase is well-tested and it's free of unsafe code and arithmetic side effects. Main code runs sandboxed using capsicum(4) on FreeBSD, pledge(2)/unveil(2) on OpenBSD, and landlock(7) on Linux.
Usage is identical to the reference implementation, so the user is recommended to read signify's OpenBSD manual page. Another recommended read is the article Securing OpenBSD From Us To You.
The crate is fairly portable, builds on FreeBSD, NetBSD, OpenBSD, Linux, Windows, and WASM. Tests run on all these operating systems on each git push using Sourcehut Builds. CI builds create static-linked signify binaries as artifacts which may be preferred by users who don't have the option to build signify from source.
Use with keyrings(7)
This crate comes with a single extension to the reference
implementation: When the crate is built on Linux or Android,
keyrings(7)
support is compiled in. This adds the CLI option -k key-id to the
signify subcommands -G(enerate), and -S(ign) which allows the user
to specify their passphrase using a 32-bit key ID rather than inputting
it manually with a password prompt.
Programmatic Use
- Use
signifybinary in scripts. Output and exit codes are stable, compatible with OpenBSD. - Use
libsignify-rslibrary as a dependency for your Rust code.
ChangeLog
See ChangeLog.md
License
ISC. See COPYING.