![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
signify and compatible programs
May. 6th, 2022 11:45 amWanted to write down my notes on signing tools before I ended up losing the information. I was researching what's available in FLOSS signing tools for signing software packages for lightweight Linux distributions. Programs I found that could do that job are listed below.
The one I liked best was usign. The main reason, it's portable and I found it easy to build even on systems that didn't support POSIX. It also doesn't rely on any outside libraries. So, no need to worry about whether you have all the dependencies on your system. Signatures and keys are compatible with OpenBSD's signify utility.
https://github.com/xypron/usign
Most newer signing tools seem to be based on the concepts used by the OpenBSD signing tool, signify. signify uses the ed25519 cryptographic algorithm. It can be used to replace tools like PGP under certain conditions such as for providing some security when working with and installing software packages. There's more information on signify here:
https://www.openbsd.org/papers/bsdcan-signify.html
A portable version of the BSD signify tool is available:
https://github.com/aperezdc/signify
It requires libbsd to build. There's an older Windows port:
https://github.com/stoeckmann/signify-windows
I wanted something with fewer dependencies and asignify provides that:
https://github.com/vstakhov/asignify
It was inspired by signify. However, it's mainly geared to POSIX compatible systems and requires termios to draw to a terminal screen.
Another option I found that looked promising was minisign:
https://github.com/jedisct1/minisign
https://jedisct1.github.io/minisign/
It requires libsodium and was written by the author of that library.
I also ran across sign:
https://github.com/apankrat/sign
It needs openssl or libressl and was also designed for POSIX systems.
So, of all the options, the only one that had minimal dependencies and no trouble building on operating systems that might not be POSIX compatible was usign.
Since these programs are all mainly using the ed25519 algorithm, it left me wondering if an option might be available that uses libtomcrypt or bearssl since both those dependencies are already on my system. That would cut down on some repeated code. For the present, usign seems sufficient.
I saw some lightweight Linux distributions mention in their documentation that they're using or investigating adding package signing to improve security when working with their systems. I do have my own package manager. At the moment, it mainly uses checksums to check if packages download properly and are what you expect them to be. Not sure how I'd add signed packages to my workflow. My package manager is designed more to work with source code and download the source directly from the web site of a program or library. Sites typically only provide some kind of checksum information such as md5 or sha1 or sha256. If others are using signatures and keys with their workflow when building or sharing packages built from source, I'd be very curious to hear about the processes you're using and how you've integrated it. Please let me know. Since I'm not incorporating signed packages at present, wanted to make sure I summarized the information on FLOSS programs that could handle the signing task in case I might need them in the future.
The one I liked best was usign. The main reason, it's portable and I found it easy to build even on systems that didn't support POSIX. It also doesn't rely on any outside libraries. So, no need to worry about whether you have all the dependencies on your system. Signatures and keys are compatible with OpenBSD's signify utility.
https://github.com/xypron/usign
Most newer signing tools seem to be based on the concepts used by the OpenBSD signing tool, signify. signify uses the ed25519 cryptographic algorithm. It can be used to replace tools like PGP under certain conditions such as for providing some security when working with and installing software packages. There's more information on signify here:
https://www.openbsd.org/papers/bsdcan-signify.html
A portable version of the BSD signify tool is available:
https://github.com/aperezdc/signify
It requires libbsd to build. There's an older Windows port:
https://github.com/stoeckmann/signify-windows
I wanted something with fewer dependencies and asignify provides that:
https://github.com/vstakhov/asignify
It was inspired by signify. However, it's mainly geared to POSIX compatible systems and requires termios to draw to a terminal screen.
Another option I found that looked promising was minisign:
https://github.com/jedisct1/minisign
https://jedisct1.github.io/minisign/
It requires libsodium and was written by the author of that library.
I also ran across sign:
https://github.com/apankrat/sign
It needs openssl or libressl and was also designed for POSIX systems.
So, of all the options, the only one that had minimal dependencies and no trouble building on operating systems that might not be POSIX compatible was usign.
Since these programs are all mainly using the ed25519 algorithm, it left me wondering if an option might be available that uses libtomcrypt or bearssl since both those dependencies are already on my system. That would cut down on some repeated code. For the present, usign seems sufficient.
I saw some lightweight Linux distributions mention in their documentation that they're using or investigating adding package signing to improve security when working with their systems. I do have my own package manager. At the moment, it mainly uses checksums to check if packages download properly and are what you expect them to be. Not sure how I'd add signed packages to my workflow. My package manager is designed more to work with source code and download the source directly from the web site of a program or library. Sites typically only provide some kind of checksum information such as md5 or sha1 or sha256. If others are using signatures and keys with their workflow when building or sharing packages built from source, I'd be very curious to hear about the processes you're using and how you've integrated it. Please let me know. Since I'm not incorporating signed packages at present, wanted to make sure I summarized the information on FLOSS programs that could handle the signing task in case I might need them in the future.
![[community profile]](https://www.dreamwidth.org/img/silk/identity/community.png){kind=small}