This one recent LWN.net article shares this one amazing secret to
lightweight attestation digital signatures.
Instead of a GPG sig block, which is rather fat 'n' frumpy in the
face of a short email, minisign signatures look more like a git hash:
untrusted comment: <arbitrary text>
base64( || || <signature>)
trusted_comment: <arbitrary text>
base64()
- signature_algorithm: Ed
- key_id: 8 random bytes, matching the public key
- signature (PureEdDSA): ed25519(<file data>)
- signature (HashedEdDSA): ed25519(Blake2b-512(<file data>))
- global_signature: ed25519(<signature> || )
For emails, I'm guessing the untrusted and trusted comments (at
least) would not be needed; needs more exploration.
Another tool fer ya lolibag...
Next steps for kernel workflow improvement
https://lwn.net/Articles/803619/
... His proposal is to introduce signatures on emailed patches
as well. The mechanism used would be minisign, not GnuPG; one of
the big advantages of minisign is that the attached signatures
are much shorter than those created by GnuPG. Steve Rostedt
interrupted at this point to question the value of this approach;
he said that an attack, to be successful, would have to involve a
relatively complex patch written in a style that mimics that of
the purported author. It would be a big effort, he said; anybody
with the resources to do that could also crack the encryption
scheme used for attestation.
...
https://jedisct1.github.io/minisign/
# Minisign
Minisign is a dead simple tool to sign files and verify signatures.
It is portable, lightweight, and uses the highly secure Ed25519
public-key signature system.
## Creating a key pair
$ minisign -G
The public key is printed and put into the minisign.pub file. The
secret key is encrypted and saved as a file named
~/.minisign/minisign.key.
## Signing a file
$ minisign -Sm myfile.txt
Or to include a comment in the signature, that will be verified and
displayed when verifying the file:
$ minisign -Sm myfile.txt -t 'This comment will be signed as well'
The signature is put into myfile.txt.minisig.
Starting with version 0.8, multiple files can also be signed at once:
$ minisign -Sm file1.txt file2.txt *.jpg
## Verifying a file
$ minisign -Vm myfile.txt -P
RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3
or
$ minisign -Vm myfile.txt -p signature.pub
This requires the signature myfile.txt.minisig to be present in the
same directory.
The public key can either reside in a file (./minisign.pub by
default) or be directly specified on the command line.
...
