minisign
minisign copied to clipboard
Can we have keyrings?
It's great to have short keys in place of all the long PGP keys. But it's also great, in my opinion, to have a keyring, so I can have a "trusted keys list", and when verifying a file, minisign would tell me if it's signed by some key I trust, rather than myself checking against a list of public key files to find out if one of them signed it.
https://github.com/jedisct1/minisign/issues/103 is basically the same except it's a system-level keyring, not user-level.
It could be a distinct project.
The key id is encoded in the signature and can be easily extracted. From here, one can check if there's a matching public key somewhere (maybe just by checking the presence of ~/.minisign/public-keys/<key_id>.pub
and using it for verification if found).
That can even be a shell script.
I don't have any use case for this, but if you feel like writing such a project, go ahead :)
That's also my thought on how to do it: a ~/.minisign/trusted/
directory of trusted keys. If a file is found to be signed with a key in there it could be considered "trusted". And keys can simply be downloaded and deleted, just like normal files.
I propose such functionality be integrated into minisign itself, and am willing to implement it, but understand if you don't want that ;)
Hi @bnoctis,
Thanks for an idea! I had some spare time and wanted to practice with Go so I published minitrust few days ago. It's a tool with two subcommands:
- Add a public key to a list of "trusted". Under the hood it creates a
~/.minisign/trusted/<keyid>.pub
with public key and its name in "untrusted comment" field. (The path is by default and can be configured.) - Verify a signature with a set of public keys in a "trusted" list. Internally,
minitrust
matches key id with keys in~/.minisign/trusted/
.
An example of usage with verifying the source of original minisign:
0 /tmp % curl -LO "https://github.com/jedisct1/minisign/archive/refs/tags/0.10.tar.gz"
0 /tmp % curl -LO "https://github.com/jedisct1/minisign/releases/download/0.10/0.10.tar.gz.minisig"
0 /tmp % minitrust -V -m 0.10.tar.gz
minitrust.go:95: Error: minitrust: public key doesn't exist in trusted directory.
1 /tmp % minitrust -T -c "key of github.com/jedisct1/minisign" -P RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3
0 /tmp % minitrust -V -m 0.10.tar.gz
minitrust.go:127: Verifying with key of github.com/jedisct1/minisign (E7620F1842B4E81F).
minitrust.go:136: Signature and comment signature verified.
0 /tmp %
The only dependency is jedisct1's go-minisign.
As I said, I've just published it so it's in beta and a few early-stage issues should be resolved (i.e., rephrase README, cover more code with tests, configure CI). I'd be glad to feedback and contribution! @jedisct1, your feedback will be precious.
https://github.com/igoose1/minitrust
Looks good @igoose1! Will try it.