signify-rs
| Crates.io | signify-rs |
| lib.rs | signify-rs |
| version | 0.4.0 |
| created_at | 2025-12-31 00:20:47.870449+00 |
| updated_at | 2026-01-06 11:56:56.26542+00 |
| description | OpenBSD-compatible file signing & verification tool |
| homepage | https://man.exherbo.org |
| repository | https://git.sr.ht/~alip/signify |
| max_upload_size | |
| id | 2013666 |
| size | 121,239 |
Morgane Glidic (sardemff7)
documentation
README
signify - OpenBSD-compatible file signing & verification tool
The signify utility creates and verifies cryptographic signatures. A signature verifies the integrity of a message. This utility is a Rust rewrite of OpenBSD's reference implementation, and provides a library and a CLI tool for signing and verifying files. It's released under the same license and focuses on security, simplicity, and strict adherence to the OpenBSD implementation's formats and logic, while leveraging Rust's safety guarantees. Codebase is well-tested and it's free of unsafe code and arithmetic side effects. Main code runs sandboxed using capsicum(4) on FreeBSD, pledge(2)/unveil(2) on OpenBSD, and landlock(7) on Linux.
Usage is identical to the reference implementation, so the user is recommended to read signify's OpenBSD manual page. Another recommended read is the article Securing OpenBSD From Us To You.
The crate is fairly portable, builds on FreeBSD, NetBSD, OpenBSD, Linux, Windows, and WASM. Tests run on all these operating systems on each git push using Sourcehut Builds. CI builds create static-linked signify binaries as artifacts which may be preferred by users who don't have the option to build signify from source.
Use with keyrings(7)
This crate comes with a single extension to the reference
implementation: When the crate is built on Linux or Android,
keyrings(7)
support is compiled in. This adds the CLI option -k key-id to the
signify subcommands -G(enerate), and -S(ign) which allows the user
to specify their passphrase using a 32-bit key ID rather than inputting
it manually with a password prompt.
Programmatic Use
- Use
signifybinary in scripts. Output and exit codes are stable, compatible with OpenBSD. - Use
libsignify-rslibrary as a dependency for your Rust code.
Security
This implementation employs defense-in-depth with multiple hardening layers:
- OS-level sandboxing: capsicum(4) on FreeBSD, pledge(2)/unveil(2) on OpenBSD, landlock(7) on Linux.
- Hardened file opens: openat2(2) on Linux with
RESOLVE_NO_SYMLINKS,O_NOFOLLOWon all Unix. - Safe filename validation: Rejects control characters, leading dashes, and path traversal patterns per Wheeler's LSM rules.
- Memory protections: Memory-Deny-Write-Execute (MDWE) refuse-exec-gain flag set on Linux.
- Privilege containment: No-new-privileges (NNP) bit set on Linux/Android, resource limits on Unix.
- No auto-locate: Public keys must be explicitly specified, eliminating comment-injection attacks.
- Password strength:
zxcvbn-based estimation rejects weak passphrases with actionable feedback. - Safe Rust: Zero unsafe code, no arithmetic side effects, no unwrap on user input.
The security architecture follows the principle of least privilege: Argument validation occurs before any file operations, files are pre-opened before entering the sandbox, and the sandbox is entered before any cryptographic operations execute. This strict execution flow ensures that even if cryptographic code were compromised, the attacker would be confined within an extremely restricted sandbox with no filesystem access beyond the pre-opened file handles, no network access, and no ability to spawn processes or gain additional privileges.
ChangeLog
See ChangeLog.md
License
ISC. See COPYING.