Can we have keyrings? about minisign HOT 4 OPEN

Hi @bnoctis,

Thanks for an idea! I had some spare time and wanted to practice with Go so I published minitrust few days ago. It's a tool with two subcommands:

1. Add a public key to a list of "trusted". Under the hood it creates a ~/.minisign/trusted/<keyid>.pub with public key and its name in "untrusted comment" field. (The path is by default and can be configured.)
2. Verify a signature with a set of public keys in a "trusted" list. Internally, minitrust matches key id with keys in ~/.minisign/trusted/.

An example of usage with verifying the source of original minisign:

0 /tmp % curl -LO "https://github.com/jedisct1/minisign/archive/refs/tags/0.10.tar.gz"
0 /tmp % curl -LO "https://github.com/jedisct1/minisign/releases/download/0.10/0.10.tar.gz.minisig"
0 /tmp % minitrust -V -m 0.10.tar.gz
minitrust.go:95: Error: minitrust: public key doesn't exist in trusted directory.
1 /tmp % minitrust -T -c "key of github.com/jedisct1/minisign" -P RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3
0 /tmp % minitrust -V -m 0.10.tar.gz
minitrust.go:127: Verifying with key of github.com/jedisct1/minisign (E7620F1842B4E81F).
minitrust.go:136: Signature and comment signature verified.
0 /tmp %

The only dependency is jedisct1's go-minisign.

As I said, I've just published it so it's in beta and a few early-stage issues should be resolved (i.e., rephrase README, cover more code with tests, configure CI). I'd be glad to feedback and contribution! @jedisct1, your feedback will be precious.

https://github.com/igoose1/minitrust

from minisign.

It could be a distinct project.

The key id is encoded in the signature and can be easily extracted. From here, one can check if there's a matching public key somewhere (maybe just by checking the presence of ~/.minisign/public-keys/<key_id>.pub and using it for verification if found).

That can even be a shell script.

I don't have any use case for this, but if you feel like writing such a project, go ahead :)

from minisign.

That's also my thought on how to do it: a ~/.minisign/trusted/ directory of trusted keys. If a file is found to be signed with a key in there it could be considered "trusted". And keys can simply be downloaded and deleted, just like normal files.

I propose such functionality be integrated into minisign itself, and am willing to implement it, but understand if you don't want that ;)

from minisign.

Looks good @igoose1! Will try it.

from minisign.