Comments (4)
Hi @bnoctis,
Thanks for an idea! I had some spare time and wanted to practice with Go so I published minitrust few days ago. It's a tool with two subcommands:
- Add a public key to a list of "trusted". Under the hood it creates a
~/.minisign/trusted/<keyid>.pub
with public key and its name in "untrusted comment" field. (The path is by default and can be configured.) - Verify a signature with a set of public keys in a "trusted" list. Internally,
minitrust
matches key id with keys in~/.minisign/trusted/
.
An example of usage with verifying the source of original minisign:
0 /tmp % curl -LO "https://github.com/jedisct1/minisign/archive/refs/tags/0.10.tar.gz"
0 /tmp % curl -LO "https://github.com/jedisct1/minisign/releases/download/0.10/0.10.tar.gz.minisig"
0 /tmp % minitrust -V -m 0.10.tar.gz
minitrust.go:95: Error: minitrust: public key doesn't exist in trusted directory.
1 /tmp % minitrust -T -c "key of github.com/jedisct1/minisign" -P RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3
0 /tmp % minitrust -V -m 0.10.tar.gz
minitrust.go:127: Verifying with key of github.com/jedisct1/minisign (E7620F1842B4E81F).
minitrust.go:136: Signature and comment signature verified.
0 /tmp %
The only dependency is jedisct1's go-minisign.
As I said, I've just published it so it's in beta and a few early-stage issues should be resolved (i.e., rephrase README, cover more code with tests, configure CI). I'd be glad to feedback and contribution! @jedisct1, your feedback will be precious.
https://github.com/igoose1/minitrust
from minisign.
It could be a distinct project.
The key id is encoded in the signature and can be easily extracted. From here, one can check if there's a matching public key somewhere (maybe just by checking the presence of ~/.minisign/public-keys/<key_id>.pub
and using it for verification if found).
That can even be a shell script.
I don't have any use case for this, but if you feel like writing such a project, go ahead :)
from minisign.
That's also my thought on how to do it: a ~/.minisign/trusted/
directory of trusted keys. If a file is found to be signed with a key in there it could be considered "trusted". And keys can simply be downloaded and deleted, just like normal files.
I propose such functionality be integrated into minisign itself, and am willing to implement it, but understand if you don't want that ;)
from minisign.
Looks good @igoose1! Will try it.
from minisign.
Related Issues (20)
- System trusted public keys HOT 3
- Domain separation between pre-hashed & pure version (forge signature for hash) HOT 2
- Support verifying with secret key HOT 4
- Update man page for release 0.10 HOT 1
- "minisign: command not found" HOT 2
- Similar implementation in Jazz (help and reviews wanted) HOT 1
- trying to change password to a secret key HOT 1
- BUILD_STATIC_EXECUTABLES fails to build HOT 8
- minisig: No such file or directory HOT 2
- sign ehealth cert HOT 1
- Internal error with large trusted comment HOT 2
- minisign mishandles overlong lines HOT 1
- documentation: git commits HOT 3
- Use the same binary for GitHub releases and Docker images HOT 3
- Add ppc64le support HOT 1
- Inline signatures? HOT 1
- win64 v0.11 binary doesn't statically link sodium? HOT 2
- Passing an empty string to -x is treated as if it was never set HOT 1
- move to to major version 1 HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from minisign.