Minisign

A dead simple tool to sign files and verify signatures.

Table of Contents

• Minisign
  • Table of Contents
  • Overview
  • Documentation
  • Installation
    • Pre-built Packages
    • Building with Zig
    • Building with cmake and gcc or clang
  • Usage
    • Generating a Key Pair
    • Signing Files
    • Verifying Signatures
  • Verification of Official Releases
  • Docker
  • Compatibility with Signify
  • Signature Determinism
  • Additional Tools, Libraries and Implementations

Overview

Minisign is a tool to sign files and verify signatures. It's designed to be:

• Simple to use
• Secure (based on modern cryptography)
• Minimal (focused on doing one thing well)
• Cross-platform

Minisign uses the Ed25519 public-key signature system with small and fast signatures.

Documentation

For comprehensive documentation, please refer to the Minisign documentation website or the included man page.

Installation

Prebuilt Packages

Minisign is available in various package managers:

Platform	Command
macOS (Homebrew)	brew install minisign
Windows (Scoop)	scoop install minisign
Windows (Chocolatey)	choco install minisign

Building with Zig

Dependencies:

• libsodium (optional)
• zig (version 0.15.1 or later)

Compilation options:

1. With libsodium, dynamically linked:

zig build -Doptimize=ReleaseSmall

2. With libsodium, statically linked:

zig build -Doptimize=ReleaseSmall -Dstatic

3. Without libsodium (no dependencies required):

zig build -Doptimize=ReleaseSmall -Dwithout-libsodium

The resulting binary can be found in zig-out/bin/minisign.

For faster execution at the cost of larger binary size, you can replace ReleaseSmall with ReleaseFast in any of the above commands.

Building with CMake and GCC or Clang

Dependencies:

• libsodium (required)
• CMake
• pkg-config
• GCC or Clang

Compilation:

mkdir build
cd build
cmake ..
make
make install  # with appropriate permissions

Alternative configuration for static binaries:

cmake -D STATIC_LIBSODIUM=1 ..

or:

cmake -D BUILD_STATIC_EXECUTABLES=1 ..

Usage

Generating a Key Pair

minisign -G

This creates:

• A public key (minisign.pub by default)
• A password-protected secret key (minisign.key by default)

Signing Files

minisign -S -m file.txt

This creates a signature file named file.txt.minisig.

To add a trusted comment that will be verified:

minisign -S -m file.txt -t "Trusted comment here"

Verifying Signatures

minisign -Vm file.txt -p minisign.pub

or with a public key directly:

minisign -Vm file.txt -P RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3

Verification of Official Releases

Tarballs and precompiled binaries from the project can be verified with the following public key:

RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3

Docker

Minisign is available as a Docker image:

docker run -i --rm jedisct1/minisign

Example of generating a key for the first time and then signing a local file:

docker run -i --rm -v .:/minisign jedisct1/minisign \
  -s minisign.key -G

docker run -i --rm -v .:/minisign jedisct1/minisign \
  -s minisign.key -S -m files_to_sign

-s minisign.key creates and uses the secret key; the public key will be named minisign.pub.

Important: create a backup and do not commit or share your generated private key file minisign.key.

Example of verifying a signature using the Docker image:

docker run -i --rm -v .:/minisign jedisct1/minisign \
  -Vm file_to_verify -p minisign.pub

-p minisign.pub may be omitted if the default name has been generated.

The image can be verified with the following cosign public key:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExjZWrlc6c58W7ZzmQnx6mugty99C
OQTDtJeciX9LF9hEbs1J1fzZHRdRhV4OTqcq0jTW9PXnrSSZlk1fbkE/5w==
-----END PUBLIC KEY-----

Compatibility with Signify

Minisign is compatible with signify, the OpenBSD signing tool. Signatures created with signify can be verified with minisign, and vice versa.

Signature Determinism

This implementation uses deterministic signatures, unless libsodium was compiled with the ED25519_NONDETERMINISTIC macro defined. This adds random noise to the computation of EdDSA nonces.

Other implementations can choose to use non-deterministic signatures by default. They will remain fully interoperable with implementations using deterministic signatures.

Additional Tools, Libraries and Implementations

• minizign - Compact implementation in Zig that can also use SSH-encoded keys
• minisign-misc - Set of workflows and scripts for macOS to verify and sign files
• go-minisign - Go module to verify Minisign signatures
• rust-minisign - Minisign library in pure Rust
• rsign2 - Reimplementation of the command-line tool in Rust
• minisign (go) - Rewrite in Go language (CLI and library)
• minisign-verify - Small Rust crate to verify Minisign signatures
• minisign-net - .NET library for Minisign signatures
• minisign - JavaScript implementation
• WebAssembly implementations: rsign2 and minisign-cli on WAPM
• minisign-php - PHP implementation
• py-minisign - Python implementation
• minisign - Elixir implementation (verification only)