lightweight attestation/ signatures - GPG - minisign
This one recent LWN.net article shares this one amazing secret to lightweight attestation digital signatures. Instead of a GPG sig block, which is rather fat 'n' frumpy in the face of a short email, minisign signatures look more like a git hash: untrusted comment: <arbitrary text> base64(<signature_algorithm> || <key_id> || <signature>) trusted_comment: <arbitrary text> base64(<global_signature>) - signature_algorithm: Ed - key_id: 8 random bytes, matching the public key - signature (PureEdDSA): ed25519(<file data>) - signature (HashedEdDSA): ed25519(Blake2b-512(<file data>)) - global_signature: ed25519(<signature> || <trusted_comment>) For emails, I'm guessing the untrusted and trusted comments (at least) would not be needed; needs more exploration. Another tool fer ya lolibag... Next steps for kernel workflow improvement https://lwn.net/Articles/803619/ ... His proposal is to introduce signatures on emailed patches as well. The mechanism used would be minisign, not GnuPG; one of the big advantages of minisign is that the attached signatures are much shorter than those created by GnuPG. Steve Rostedt interrupted at this point to question the value of this approach; he said that an attack, to be successful, would have to involve a relatively complex patch written in a style that mimics that of the purported author. It would be a big effort, he said; anybody with the resources to do that could also crack the encryption scheme used for attestation. ... https://jedisct1.github.io/minisign/ # Minisign Minisign is a dead simple tool to sign files and verify signatures. It is portable, lightweight, and uses the highly secure Ed25519 public-key signature system. ## Creating a key pair $ minisign -G The public key is printed and put into the minisign.pub file. The secret key is encrypted and saved as a file named ~/.minisign/minisign.key. ## Signing a file $ minisign -Sm myfile.txt Or to include a comment in the signature, that will be verified and displayed when verifying the file: $ minisign -Sm myfile.txt -t 'This comment will be signed as well' The signature is put into myfile.txt.minisig. Starting with version 0.8, multiple files can also be signed at once: $ minisign -Sm file1.txt file2.txt *.jpg ## Verifying a file $ minisign -Vm myfile.txt -P RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3 or $ minisign -Vm myfile.txt -p signature.pub This requires the signature myfile.txt.minisig to be present in the same directory. The public key can either reside in a file (./minisign.pub by default) or be directly specified on the command line. ...
participants (1)
-
Zenaan Harkness