minisign icon indicating copy to clipboard operation
minisign copied to clipboard

Published 20 hours ago verified publisher icon jedisct1

Can we have keyrings?

Open nc7s opened this issue 2 years ago • 4 comments

It's great to have short keys in place of all the long PGP keys. But it's also great, in my opinion, to have a keyring, so I can have a "trusted keys list", and when verifying a file, minisign would tell me if it's signed by some key I trust, rather than myself checking against a list of public key files to find out if one of them signed it.

https://github.com/jedisct1/minisign/issues/103 is basically the same except it's a system-level keyring, not user-level.

nc7s avatar Jun 09 '22 13:06 nc7s

It could be a distinct project.

The key id is encoded in the signature and can be easily extracted. From here, one can check if there's a matching public key somewhere (maybe just by checking the presence of ~/.minisign/public-keys/<key_id>.pub and using it for verification if found).

That can even be a shell script.

I don't have any use case for this, but if you feel like writing such a project, go ahead :)

jedisct1 avatar Jun 09 '22 15:06 jedisct1

That's also my thought on how to do it: a ~/.minisign/trusted/ directory of trusted keys. If a file is found to be signed with a key in there it could be considered "trusted". And keys can simply be downloaded and deleted, just like normal files.

I propose such functionality be integrated into minisign itself, and am willing to implement it, but understand if you don't want that ;)

nc7s avatar Jun 09 '22 16:06 nc7s

Hi @bnoctis,

Thanks for an idea! I had some spare time and wanted to practice with Go so I published minitrust few days ago. It's a tool with two subcommands:

  1. Add a public key to a list of "trusted". Under the hood it creates a ~/.minisign/trusted/<keyid>.pub with public key and its name in "untrusted comment" field. (The path is by default and can be configured.)
  2. Verify a signature with a set of public keys in a "trusted" list. Internally, minitrust matches key id with keys in ~/.minisign/trusted/.

An example of usage with verifying the source of original minisign:

0 /tmp % curl -LO "https://github.com/jedisct1/minisign/archive/refs/tags/0.10.tar.gz"
0 /tmp % curl -LO "https://github.com/jedisct1/minisign/releases/download/0.10/0.10.tar.gz.minisig"
0 /tmp % minitrust -V -m 0.10.tar.gz
minitrust.go:95: Error: minitrust: public key doesn't exist in trusted directory.
1 /tmp % minitrust -T -c "key of github.com/jedisct1/minisign" -P RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3
0 /tmp % minitrust -V -m 0.10.tar.gz
minitrust.go:127: Verifying with key of github.com/jedisct1/minisign (E7620F1842B4E81F).
minitrust.go:136: Signature and comment signature verified.
0 /tmp %

The only dependency is jedisct1's go-minisign.

As I said, I've just published it so it's in beta and a few early-stage issues should be resolved (i.e., rephrase README, cover more code with tests, configure CI). I'd be glad to feedback and contribution! @jedisct1, your feedback will be precious.

https://github.com/igoose1/minitrust

igoose1 avatar Jul 24 '22 13:07 igoose1

Looks good @igoose1! Will try it.

nc7s avatar Aug 02 '22 14:08 nc7s