aperezdc/signify aperezdc/signify

  • Stars
    star
    262
  • Rank 150,850 (Top 4 %)
  • Language
    C
  • License
    ISC License
  • Created over 10 years ago
  • Updated 2 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
aperezdc/signify
github

aperezdc

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

OpenBSD tool to sign and verify signatures on files. Portable version.

Signify - Sign and Verify

Build Status

OpenBSD tool to sign and verify signatures on files. This is a portable version which uses libbsd (version 0.8 or newer is required).

See https://www.tedunangst.com/flak/post/signify for more information.

License

Signify is distributed under the terms of the ISC license.

Installation

Some GNU/Linux distributions have readily available packages in their repositories. It is recommended to use these, unless you absolutely need to build from source code:

  • Debian: apt install signify-openbsd
  • Arch Linux: pacman -S signify

Building

Dependencies

  • GNU Make (any version above 3.70).
  • C compiler. Both GCC and Clang are tested and supported.
  • libbsd 0.8 or newer.

If your system does not provide a package for libbsd, it is possible to use a bundled copy, check the build options section for more details.

Options

The following options can be passed to Make:

  • VERIFY_ONLY=1

    Build only the verification code. Support for signing will not be available in the built signify binary. Note that this is unsupported and compilation may not succeed.

  • BOUNDS_CHECKING=1

    Enables bounds-checking using __attribute__((bounded)). Your compiler must have support for this. Clang 3.4 is known to work.

  • BUNDLED_LIBBSD=1

    Instead of picking libbsd from the system, use a copy of the needed files included as part of the source tree and link them statically into Signify. This can be used when the version installed in the system is an unsupported version, or when installing it in the system is not desirable.

  • MUSL=1

    Enable linking against the Musl libc. At the moment this needs a patched libbsd, so enabling this option will automatically set BUNDLED_LIBBSD=1 and patch the locally-built version.

  • LTO=1

    Perform Link-Time Optimizations. Both your compiler and linker must have support for this. Recent binutils and GCC/Clang are known to work.

  • PLEDGE=…

    Choose among one of the alternative implementations of the pledge(2) system call. For the moment the only supported values are:

    • noop (default): Uses an implementation which does nothing
    • waive (Linux-only): Uses libwaive, which itself uses seccomp filters.

    To use your own implementation, use an empty value, and pass the needed flags for linking its code. For example: make PLEDGE='' EXTRA_LDFLAGS=my-pledge.o.

  • BZERO=…

    Choose which implementation of explicit_bzero(3) to use. Supported values are:

    • libc: Relies on the system C library providing the function definition in the <string.h> header.
    • bundled: Use the portable implementation included with Signify's source code in explicit_bzero.c.

    The build system will try to detect whether the C library includes the function, and in most cases it will not be needed to specify this option. Providing a value for BZERO disables the automatic detection.

  • EXTRA_CFLAGS=…, EXTRA_LDFLAGS=…

    Additional flags to be passed to the compiler and the linker, respectively.

For example, you can build a size-optimized version with:

make EXTRA_CFLAGS='-Os -s' LTO=1

Convenience Targets

The following Make targets are provided as convenience for building static signify binaries:

  • make static: Build a static binary bundling libbsd and using the system default C library.
  • make static-musl: Build a static binary bundling libbsd using the Musl C library. This will set musl-gcc both as the compiler and linker to use and may not work on systems where this wrapper scripts is not available.

Release Signing

PGP

PGP detached signatures of source tarballs (.asc) are done with key 0x91C559DBE4C9123B. The key can be obtained with the following command:

gpg --keyserver hkps://keys.openpgp.org --recv-keys 5AA3BC334FD7E3369E7C77B291C559DBE4C9123B

Assuming that both the tarball and its signature are in the same directory, a release can be checked using:

gpg --verify signify-<version>.tar.xz.asc

Signify

An OpenBSD-style SHA256.sig signed checksum is provided alongside with each release. The signing key can be found at keys/signifyportable.pub, its contents are:

untrusted comment: Signify portable release signing public key
RWRQFCY809DUoWEHxWmoTNtxph6yUlWNsjfW54PqLI6S3dWfuZN4Ovj1

To verify a release, save the associated SHA256.sig file in the same directory as the source tarball. If the signing key is into a file named signifyportable.pub, then use:

signify -C -p signifyportable.pub -x SHA256.sig

The above Signify public key can itself be verified using the same PGP key used for release tarballs. Grab the keys/signifyportable.pub.asc file as well, the run:

gpg --verify signifyportable.pub.asc

Troubleshooting

  • Problem: Undefined references to clock_gettime.
    Solution: Your system has an old glibc version, you need to pass LDLIBS=-lrt to make.

Other implementations

  • asignify can read signatures generated by Signify (generating them is not yet implemented), and can be used as a library.
  • signify-rs, a re-implementation in Rust. It's fully compatible with the original implementation.

More Repositories

1

ngx-fancyindex

Fancy indexes module for the Nginx web server
C
819
star
2

vim-template

Simple templates plugin for Vim
Vim Script
369
star
3

revolt

Better desktop integration for Riot.im (not only) for GNOME
Python
91
star
4

zsh-fzy

Use the fzy fuzzy-finder in Zsh
Shell
57
star
5

notmuch-addrlookup-c

Address lookup tool for Notmuch in C using GLib and libnotmuch
C
50
star
6

nss-altfiles

NSS module to read passwd/group files from alternate locations
C
40
star
7

hmac-sha256

HMAC-SHA256 implemented in C
C
38
star
8

9pfuse

FUSE-based 9P client from the Plan9 Port project, standalone version
C
27
star
9

luabot

An XMPP (Jabber) bot written in Lua using the protocol implementation from Verse/Prosody
Lua
27
star
10

synpurge

Utility script to Matrix room history purge room in Synapse using the HTTP API
Python
20
star
11

lua-itertools

Functional iterators for Lua based on coroutines
Lua
17
star
12

ljndpi

Lua binding to the nDPI library using the LuaJIT FFI
Lua
16
star
13

lua-wcwidth

Pure Lua implementation of the wcwidth() function
Lua
15
star
14

dotfiles

Personal configuration files I often use in my - may contain useful snippets for you as well, YMMV.
Shell
14
star
15

webkit2gtk-python-webextension-example

Example small C shim to load a Python script as a WebKit2 WebExtension
C
14
star
16

zsh-notes

Quick selection widget for Markdown notes, inspired by terminal_velocity
Shell
11
star
17

lua-matrix

Matrix Client-Server API for Lua and LuaJIT
Lua
10
star
18

virtualz

Virtualfish-alike Python virtualenv wrapper for Zsh
Shell
9
star
19

rockz

Virtualfish-alike Lua+LuaRocks “Rockenv” wrapper for Zsh
Shell
9
star
20

cflag

Non-allocating command line flag parser
C
9
star
21

dwt

Simple no-frills terminal emulator using VTE -- for (x)dwm
C
8
star
22

perezdecastro.org

Personal website and static site generator in NodeJS
CSS
7
star
23

autocleanup

Macros and helper inlines to automatically cleanup scoped resources
C
7
star
24

ulid-c

Plain C implementation of ULID — Lexicographically sortable unique IDs
C
7
star
25

dmon

Small process daemonization and monitorization tool.
C
7
star
26

netdial

Utility library to simplify socket setup code
C
6
star
27

icetop

Console monitor for the icecream/icecc distributed compilation system
C++
5
star
28

popsicle

Toolchain tarball creator for Icecream
Rust
5
star
29

clog

Non-allocating runtime configurable logger
C
5
star
30

gnarl

Lightweight module to define serializable, schema-validated classes
Python
5
star
31

esh

esh, Unix Shell with LISP-ish syntax originally from Ivan Tkatchev
C
4
star
32

ggtraybar

Minimal top panel bar, with desktop pager, window selector, system tray, clock, and a mini command line
C
4
star
33

wheel

The “wheel” library aims to provide basic (and some not-that-basic) facilities that one would expect to have in C.
C
4
star
34

safecat

Copies standard input safely to a specified directory using qmail's Maildir algorithm
C
3
star
35

vim-lining

The silver lining of Vim/NeoVim statuslines
Vim Script
3
star
36

xdwm

My fork of the DWM window manager. Includes 3rd party patches and some own modifications. Branch “upstream” tracks the tip from the DWM Hg repository, which is periodically merged back on “master”.
C
3
star
37

mwerlin

Presentation tool for HTML-based slides
Lua
3
star
38

pebble-beats

Swatch @beats Internet Time watchface for Pebble / Pebble Time
C
3
star
39

pktgen

Declarative network packet flow generator
Python
3
star
40

galaxy-desktop

Franken desktop session using a mix of GNOME and Pantheon components
C
2
star
41

lua-dotty

Idiomatic wrapper for terminal handling in Lua
Lua
2
star
42

vim-elrond

Vim colorscheme based on the build-in “elflord” scheme, with extras for 256-color terminals
Vim Script
2
star
43

lua-shelve

Serialization and on-disk persistence for Lua values
C
2
star
44

doin

Runs *any* binary in *any* container. Without platform-dependent kludges.
C
2
star
45

hipack-c

HiPack (de)serialization library in C
C
2
star
46

nihil

The Nothing-but-Iffy HTTP I/O Library, for Python's asyncio
Python
1
star
47

hipack

Site for the HiPack serialization format
CSS
1
star
48

bill

Bash Improved Leveraging Library —
Shell
1
star
49

lua-lineinput

A pure-Lua readline/editline/linenoise alike module
Lua
1
star
50

icecc-rs

Idiomatic Rust wrapper for the libicecc library
Rust
1
star
51

indicium

Unified API to multiple key-value stores
Python
1
star
52

hipack-js

HiPack (de)serialization library in JavaScript
JavaScript
1
star
53

ltree

Utility to work with file lists in the format of the BSD mtree tool
C
1
star
54

jsinception

Slides for my JSConf EU 2014 talk “JS: Inception”
Shell
1
star
55

lua-delog

Fast, extensible, optionally zero-impact Lua logging module.
Lua
1
star
56

vim-lift

Completion system for Vim which “lifts” candidates from other completion functions
Vim Script
1
star
57

microwl

Micro Wayland-EGL “windowing” system
1
star
58

guru-runit

GuruPlug boot scripts to use in Debian Wheezy with runit for fast booting, bypassing most of the unneeded init crap
Shell
1
star
59

key-input-fwd

C
1
star
60

miju-goudy

A version of Goudy Oldstyle with all four body text variants
Python
1
star
61

websnap

Tool to measure QtWebKit rendering performance
C++
1
star
62

intheam-python

Python module to for accessing the inthe.am API
Python
1
star
63

fightcode-bots

Bots for http://fightcodegame.com
JavaScript
1
star
64

levi-asher-memoir

Tools to assemble an EPUB of Levi Asher's memoirs about the Internet boom and being a software developer.
Python
1
star
65

indicium-git

Git-backed key-value store for Indicium
Python
1
star
66

python-cmdcmd

Ergonomic and flexible commands-with-subcommands command line parser
Python
1
star
67

abtool

Unpack and repack unencrypted ADB backups
Shell
1
star
68

hipack-python

HiPack (de)serialization library in Python
Python
1
star
69

nfwx

Nokia Firmware Explorer
Python
1
star
70

apicheck

Assertion macros for checking function parameters
C
1
star
71

hipack-rs

HiPack (de)serialization library in Rust
Rust
1
star