検証に使う
Zigのダウンロードページには以下のように公開鍵が用意されていて,ダンロードファイルにそれぞれ署名ファイルが用意されています.
Files are signed with minisign using this public key:
RWSGOq2NVecA2UPNdBUZykf1CCb147pkmdtYxgb3Ti+JO/wCYvhbAb/U
MinisignはDebianパッケージがあるのでこちらを導入して使いました.
$ sudo apt install minisign $ apt show minisign Package: minisign Version: 0.11-1 Priority: optional Section: misc Maintainer: Josenilson Ferreira da Silva <nilsonfsilva@hotmail.com> Installed-Size: 49.2 kB Depends: libc6 (>= 2.34), libsodium23 (>= 0.7.0) Homepage: https://jedisct1.github.io/minisign/ Download-Size: 16.7 kB APT-Manual-Installed: yes APT-Sources: http://ftp.jp.debian.org/debian sid/main amd64 Packages Description: Dead simple tool to sign files and verify signatures Minisign is a dead simple tool to sign files and verify signatures. It is portable, lightweight, and uses the highly secure Ed25519 public-key signature system. Signature files include an untrusted comment line that can be freely modified, even after signature creation. They also include a second comment line, that cannot be modified without the secret key. Trusted comments can be used to add instructions or application-specific metadata (intended file name, timestamps, resource identifiers, version numbers to prevent downgrade attacks).
usage
$ minisign
Usage:
minisign -G [-f] [-p pubkey_file] [-s seckey_file] [-W]
minisign -R [-s seckey_file] [-p pubkey_file]
minisign -C [-s seckey_file] [-W]
minisign -S [-l] [-x sig_file] [-s seckey_file] [-c untrusted_comment]
[-t trusted_comment] -m file [file ...]
minisign -V [-H] [-x sig_file] [-p pubkey_file | -P pubkey] [-o] [-q] -m file
-G generate a new key pair
-R recreate a public key file from a secret key file
-C change/remove the password of the secret key
-S sign files
-V verify that a signature is valid for a given file
-H require input to be prehashed
-l sign using the legacy format
-m <file> file to sign/verify
-o combined with -V, output the file content after verification
-p <pubkey_file> public key file (default: ./minisign.pub)
-P <pubkey> public key, as a base64 string
-s <seckey_file> secret key file (default: ~/.minisign/minisign.key)
-W do not encrypt/decrypt the secret key with a password
-x <sigfile> signature file (default: <file>.minisig)
-c <comment> add a one-line untrusted comment
-t <comment> add a one-line trusted comment
-q quiet mode, suppress output
-Q pretty quiet mode, only print the trusted comment
-f force. Combined with -G, overwrite a previous key pair
-v display version number対象ファイルと,ペアの署名ファイルを入手
$ ls zig-linux-x86_64-0.1* -1 zig-linux-x86_64-0.13.0.tar.xz (1) zig-linux-x86_64-0.13.0.tar.xz.minisig (2)
検証対象ファイル
署名ファイル
検証
$ minisign -V -P 'RWSGOq2NVecA2UPNdBUZykf1CCb147pkmdtYxgb3Ti+JO/wCYvhbAb/U' -m zig-linux-x86_64-0.13.0.tar.xz Signature and comment signature verified Trusted comment: timestamp:1717729444 file:zig-linux-x86_64-0.13.0.tar.xz hashed
- -V
検証
- -P
公開鍵を文字列として指定
- -m
検証対象ファイル(対象ファイル名.minisigという署名ファイルも必要)
自分用の鍵ペアを作る
-G オプションで鍵ペアを作ってみます.
鍵ペアの作成
$ minisign -G Please enter a password to protect the secret key. Password: Password (one more time): Deriving a key from the password in order to encrypt the secret key... done The secret key was saved as /home/matoken/.minisign/minisign.key - Keep it secret! The public key was saved as minisign.pub - That one can be public. Files signed using this key pair can be verified with the following command: minisign -Vm <file> -P RWThG1FeVewlpdqVHzH7T3qK6edFtP+lhSNQeXYat3+3wTdrZViImFnY
秘密鍵は ~/.minisign/minisign.key として,公開鍵は ./minisign.pub として保存されます.
鍵ペアファイル
$ ls ~/.minisign/ (1) minisign.key $ ls ./minisign.pub (2) ./minisign.pub $ mv ./minisign.pub ~/.minisign/ (3) $ cat ~/.minisign/minisign.key (4) untrusted comment: minisign encrypted secret key RWRTY0IyBLVcWBdD5v/ArFX7ojiwAJZD61u4Boh/zbWwDBNirL8AAAACAAAAAAAAAEAAAAAA2X06cJ9r2gcu90CflCMhe+uz2Qj2q4mdPpsAcTVkvl5OqUuHUG3vrKvlkRwT94SyOudc8GdiodD2JEFUVVawfZEWVovOSLmmnW2xvXXBdhLYHCcuz9CO9IxAGi7+o5vWy+cdFr8UNoA= $ cat ~/.minisign/minisign.pub (5) untrusted comment: minisign public key A525EC555E511BE1 RWThG1FeVewlpdqVHzH7T3qK6edFtP+lhSNQeXYat3+3wTdrZViImFnY
秘密鍵は
~/.minisign/minisign.keyに保存される公開鍵はminisignを実行したカレントディレクトリの
minisign.pubに保存される公開鍵も秘密鍵と同じ場所においておく
秘密鍵の内容※実際は公開してはいけない
公開鍵の中身
自分の鍵で署名してみる
$ minisign -S -s ~/.minisign/minisign.key -c 'elephant-in-snake cow(untrasted comment)' -t 'trasted comment' -m ./testfile Password: Deriving a key from the password and decrypting the secret key... done
- -S
署名
- -s
秘密鍵ファイルの指定
- -c
信頼されないコメント(オプション)
- -m
対象ファイル
Note |
|
$ cat ./testfile.minisig (1) untrusted comment: elephant-in-snake cow(untrasted comment) RUThG1FeVewlpUvYukMYnjZAkVoSYf/e4FN3g9B7F7rDVeiQ1u47BuVoyGc7yQGvTOS8CegqC92yDPLFLI6Lxptha+hlurTexwE= trusted comment: trasted comment sdud1fIcQSEslt0Rndls7wOlzH4+mjKVQ8Smgh1790pwjsKdGOcBHWkxSa6VxlAqivKOkkAYf3qQPn4Deji+Bw== $ minisign -V -p ~/.minisign/minisign.pub -m ./testfile (2) Signature and comment signature verified Trusted comment: trasted comment $ minisign -V -P 'RWThG1FeVewlpdqVHzH7T3qK6edFtP+lhSNQeXYat3+3wTdrZViImFnY' -m ./testfile (3) Signature and comment signature verified Trusted comment: trasted comment
署名ファイルの中身
公開鍵で検証
公開鍵をコマンド指定して検証
パスワードの変更
$ minisign -C ~/.minisign/minisign.key (1) Password: (2) Deriving a key from the password and decrypting the secret key... done Please enter a password to protect the secret key. Password: (3) Password (one more time): (4) Deriving a key from the password in order to encrypt the secret key... done Password updated.
-Cオプションで秘密鍵のパスワードを変更変更前のパスワード
新パスワード
新パスワード
秘密鍵から公開鍵の作成
-R オプションで秘密鍵から公開鍵ファイルの再生成$ minisign -R -s ~/.minisign/minisign.key -p ~/.minisign/minisign-new.pub Password: Deriving a key from the password and decrypting the secret key... done $ diff ~/.minisign/minisign.pub ~/.minisign/minisign-new.pub
終わりに
環境
$ dpkg-query -W minisign minisign 0.11-1 $ lsb_release -dr Description: Debian GNU/Linux trixie/sid Release: n/a $ arch x86_64
One thought to “Minisignでファイルに署名,検証”