oxeo0/opsec-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/opsec-blogposts.git synced 2025-07-01 16:56:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

minisign

Browse source
This commit is contained in:
cynthia 2025-06-16 17:45:40 +01:00
parent c1dbde0e77
commit 660b97a496
2 changed files with 75 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
file-verification/19.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 475 B

75
file-verification/index.md
View file

@ -188,6 +188,81 @@ Now after this process you have ended with an hash that you authenticated, you c
Now after this process you have ended with an hash that you authenticated, you can use this hash with the file verification process to finish and verify the origin of the file downloaded.
#### Minisign (CLI)
For this example, we'll be showing both sides (the project maintainer and user)
Both sides must have Minisign installed
```bash
root@localhost:~# apt install minisign
```
##### Maintainer
1. The maintainer generates their own key-pair for signing releases. This may prompt for a password to encrypt the secret key.
```bash
maintainer@localhost:~$ minisign -G
Please enter a password to protect the secret key.
Password:
Password (one more time):
Deriving a key from the password in order to encrypt the secret key... done
The secret key was saved as /home/maintainer/.minisign/minisign.key - Keep it secret!
The public key was saved as minisign.pub - That one can be public.
Files signed using this key pair can be verified with the following command:
minisign -Vm <file> -P RWQDhZjc3QZsu74vMEd2MGRi0eYv3PXIVQGMSx+lQL1iVptYFn7p2GeI
```
The public key (which in this case is `RWQDhZjc3QZsu74vMEd2MGRi0eYv3PXIVQGMSx+lQL1iVptYFn7p2GeI`) can be shared with others on a site, or where-ever the downloads are hosted. It can even be shared as a QR code or on the phone thanks to how small it is.
```bash
maintainer@localhost:~$ sudo apt install qrencode
maintainer@localhost:~$ qrencode -o pubkey_qr.png RWQDhZjc3QZsu74vMEd2MGRi0eYv3PXIVQGMSx+lQL1iVptYFn7p2GeI
```
![](19.png)
2. The maintainer generates a checksum file of the latest binary release, We'll be using SHA-512 for this.
```bash
maintainer@localhost:~$ sha512sum program > SHA512SUMS
```
3. The maintainer signs the checksum file with their Minisign key.
```bash
maintainer@localhost:~$ minisign -S -m SHA512SUMS
Password:
Deriving a key from the password and decrypting the secret key... done
```
##### User
1. The user downloads the program, the SHA512 checksum file, and the signature of that file.
2. The user verifies the Minisign signature with the public key.
If it's a good signature, Minisign's output may be something like this:
```bash
user@localhost:~$ minisign -Vm SHA512SUMS -P RWQDhZjc3QZsu74vMEd2MGRi0eYv3PXIVQGMSx+lQL1iVptYFn7p2GeI
Signature and comment signature verified
Trusted comment: timestamp:1750090525 file:SHA512SUMS hashed
```
However, if it's a **bad signature**, Minisign's output may be something like this instead:
```bash
user@localhost:~$ minisign -Vm SHA512SUMS -P RWQDhZjc3QZsu74vMEd2MGRi0eYv3PXIVQGMSx+lQL1iVptYFn7p2GeI
Signature verification failed
```
3. The user verifies the SHA-512 checksum file with the program, like normal
-----
### **Zero Trust Policy**
#### **!!! Important !!!**