{"id":15019130,"url":"https://github.com/aperezdc/signify","last_synced_at":"2025-04-06T08:15:16.525Z","repository":{"id":13218938,"uuid":"15903169","full_name":"aperezdc/signify","owner":"aperezdc","description":"OpenBSD tool to sign and verify signatures on files. Portable version.","archived":false,"fork":false,"pushed_at":"2024-03-06T23:10:51.000Z","size":324,"stargazers_count":291,"open_issues_count":5,"forks_count":17,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-30T06:11:11.605Z","etag":null,"topics":["c","openbsd","portable","sign","verify","verifying-signatures"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"isc","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aperezdc.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2014-01-14T13:42:54.000Z","updated_at":"2025-02-01T20:19:23.000Z","dependencies_parsed_at":"2024-03-06T23:46:38.426Z","dependency_job_id":null,"html_url":"https://github.com/aperezdc/signify","commit_stats":{"total_commits":139,"total_committers":14,"mean_commits":9.928571428571429,"dds":"0.17985611510791366","last_synced_commit":"aa90571441df7bca8b7cadf74d36b3190b251061"},"previous_names":[],"tags_count":32,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aperezdc%2Fsignify","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aperezdc%2Fsignify/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aperezdc%2Fsignify/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aperezdc%2Fsignify/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aperezdc","download_url":"https://codeload.github.com/aperezdc/signify/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247451667,"owners_count":20940944,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c","openbsd","portable","sign","verify","verifying-signatures"],"created_at":"2024-09-24T19:53:02.146Z","updated_at":"2025-04-06T08:15:16.486Z","avatar_url":"https://github.com/aperezdc.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Signify - Sign and Verify\n\n[![Build Status](https://img.shields.io/endpoint.svg?url=https%3A%2F%2Factions-badge.atrox.dev%2Faperezdc%2Fsignify%2Fbadge\u0026style=flat)](https://actions-badge.atrox.dev/aperezdc/signify/goto)\n\nOpenBSD tool to sign and verify signatures on files. This is a portable\nversion which uses [libbsd](http://libbsd.freedesktop.org/wiki/) (version\n0.11 or newer is required).\n\nSee https://www.tedunangst.com/flak/post/signify for more information.\n\n## License\n\nSignify is distributed under the terms of the [ISC\nlicense](https://opensource.org/licenses/isc-license.txt).\n\n\n## Installation\n\nSome GNU/Linux distributions have readily available packages in their\nrepositories. It is recommended to use these, unless you absolutely need to\nbuild from source code:\n\n-   Alpine Linux: `apk add signify`\n-   Arch Linux: `pacman -S signify`\n-   Debian/Ubuntu: `apt install signify-openbsd`\n-   CentOS/RHEL/Rocky: `dnf install epel-release` then `dnf install signify`\n-   Fedora: `dnf install signify`\n\n\n## Building\n\n### Dependencies\n\n* GNU Make (any version above 3.70).\n* C compiler. Both GCC and Clang are tested and supported.\n* [libbsd](http://libbsd.freedesktop.org/wiki/) 0.11 or newer.\n\nIf your system does not provide a package for `libbsd`, it is possible to use\na bundled copy, check the [build options](#options) section for more details.\n\n\n### Options\n\nThe following options can be passed to Make:\n\n* `VERIFY_ONLY=1`\n\n    Build only the verification code. Support for signing will not\n    be available in the built `signify` binary. **Note that this is\n    unsupported and compilation may not succeed.**\n\n* `BOUNDS_CHECKING=1`\n\n    Enables bounds-checking using `__attribute__((bounded))`. Your\n    compiler must have support for this. Clang 3.4 is known to work.\n\n* `BUNDLED_LIBBSD=1`\n\n    Instead of picking [libbsd](http://libbsd.freedesktop.org/wiki/) from the\n    system, use a copy of the needed files included as part of the source tree\n    and link them statically into Signify. This can be used when the version\n    installed in the system is an unsupported version, or when installing it\n    in the system is not desirable.\n\n* `MUSL=1`\n\n    Enable linking against the [Musl libc](http://www.musl-libc.org/). At the\n    moment this needs a patched `libbsd`, so enabling this option will\n    automatically set `BUNDLED_LIBBSD=1` and patch the locally-built version.\n\n* `LTO=1`\n\n    Perform Link-Time Optimizations. Both your compiler *and* linker\n    must have support for this. Recent binutils and GCC/Clang are\n    known to work.\n\n* `PLEDGE=…`\n\n    Choose among one of the alternative implementations of the\n    [pledge(2)](https://man.openbsd.org/pledge.2)\n    system call. For the moment the only supported values are:\n\n    - `noop` *(default)*: Uses an implementation which does nothing\n    - `waive` *(Linux-only)*: Uses\n      [libwaive](https://github.com/dimkr/libwaive), which itself uses\n      [seccomp filters](https://en.wikipedia.org/wiki/Seccomp).\n\n    To use your own implementation, use an empty value, and pass\n    the needed flags for linking its code. For example:\n    `make PLEDGE='' EXTRA_LDFLAGS=my-pledge.o`.\n\n* `BZERO=…`\n\n    Choose which implementation of\n    [`explicit_bzero(3)`](https://man.openbsd.org/bzero.3)\n    to use. Supported values are:\n\n    - `libc`: Relies on the system C library providing the function definition\n      in the `\u003cstring.h\u003e` header.\n    - `bundled`: Use the portable implementation included with Signify's source\n      code in `explicit_bzero.c`.\n\n    The build system will try to detect whether the C library includes the\n    function, and in most cases it will *not* be needed to specify this option.\n    Providing a value for `BZERO` disables the automatic detection.\n\n* `EXTRA_CFLAGS=…`, `EXTRA_LDFLAGS=…`\n\n    Additional flags to be passed to the compiler and the linker,\n    respectively.\n\nFor example, you can build a size-optimized version with:\n\n    make EXTRA_CFLAGS='-Os -s' LTO=1\n\n\n### Convenience Targets\n\nThe following Make targets are provided as convenience for building static\n`signify` binaries:\n\n* `make static`: Build a static binary bundling `libbsd` and using the system\n  default C library.\n* `make static-musl`: Build a static binary bundling `libbsd` using the Musl\n  C library. This will set `musl-gcc` both as the compiler and linker to use\n  and may not work on systems where this wrapper scripts is not available.\n\n\n## Release Signing\n\n### PGP\n\nPGP detached signatures of source tarballs (`.asc`) are done with key\n[0x91C559DBE4C9123B](https://keys.openpgp.org/search?q=5AA3BC334FD7E3369E7C77B291C559DBE4C9123B).\nThe key can be obtained with the following command:\n\n```sh\ngpg --keyserver hkps://keys.openpgp.org --recv-keys 5AA3BC334FD7E3369E7C77B291C559DBE4C9123B\n```\n\nAssuming that both the tarball and its signature are in the same directory,\na release can be checked using:\n\n```sh\ngpg --verify signify-\u003cversion\u003e.tar.xz.asc\n```\n\n### Signify\n\nAn OpenBSD-style `SHA256.sig` signed checksum is provided alongside with each\nrelease. The signing key can be found at\n[keys/signifyportable.pub](keys/signifyportable.pub), its contents are:\n\n```\nuntrusted comment: Signify portable release signing public key\nRWRQFCY809DUoWEHxWmoTNtxph6yUlWNsjfW54PqLI6S3dWfuZN4Ovj1\n```\n\nTo verify a release, save the associated `SHA256.sig` file in the same\ndirectory as the source tarball. If the signing key is into a file named\n`signifyportable.pub`, then use:\n\n```sh\nsignify -C -p signifyportable.pub -x SHA256.sig\n```\n\nThe above Signify public key can itself be verified using the same PGP key\nused for release tarballs. Grab the [keys/signifyportable.pub.asc](keys/signifyportable.pub.asc)\nfile as well, the run:\n\n```\ngpg --verify signifyportable.pub.asc\n```\n\n\n## Troubleshooting\n\n* **Problem:** Undefined references to `clock_gettime`. \u003cbr\u003e\n  **Solution:** Your system has an old `glibc` version, you need to pass\n  `LDLIBS=-lrt` to `make`.\n\n\n## Other implementations\n\n* [asignify](https://github.com/vstakhov/asignify) can read signatures\n  generated by Signify (generating them is not yet implemented), and can be\n  used as a library.\n* [signify-rs](https://github.com/badboy/signify-rs), a re-implementation in Rust. It's fully compatible with the original implementation.\n* [OpenWrt usign](https://github.com/openwrt/usign) small implementation used by OpenWrt to sign packages. It's signature format is [different](https://github.com/aperezdc/signify/pull/29) \n* [Minisign](https://jedisct1.github.io/minisign/) based on libsodium [See comparision](https://github.com/aperezdc/signify/issues/20)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faperezdc%2Fsignify","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faperezdc%2Fsignify","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faperezdc%2Fsignify/lists"}