# rsign #

## ***DISCLAIMER:*** This is a toy. This has not undergone any formal security analysis. I am not a security expert. Use at your own risk ##

[ ![Codeship Status for danielrangel/rsign](https://app.codeship.com/projects/60b28d80-7645-0135-4402-1639b58199d0/status?branch=master)](https://app.codeship.com/projects/244452)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)

A simple rust implementation of [Minisign](https://jedisct1.github.io/minisign/) tool. All signatures produced by rsign can be verified with minisign including trusted comments. Minisign is also able to sign files with keys generated by rsign.

It uses an [asymmetric encryption](https://en.wikipedia.org/wiki/Public-key_cryptography) system [(Ed25519)](https://ed25519.cr.yp.to/) to produce a pair of keys used to sign and verify the files. It also uses a particular combination of [Scrypt, Salsa20 / 8 and SHA-256](https://dnaq.github.io/sodiumoxide/sodiumoxide/crypto/pwhash/scryptsalsa208sha256/index.html) as key derivation function [(KDF)](https://en.wikipedia.org/wiki/Key_derivation_function) to encrypt and decrypt the keys. 

[BLAKE2b](https://blake2.net/) is used to confirm the integrity of the secret key as well to create a unique identifier for files larger than 1Gb.

* [Ed25519](https://download.libsodium.org/doc/public-key_cryptography/public-key_signatures.html)

* [Generic Hashing](https://download.libsodium.org/doc/hashing/generic_hashing.html)

* [Scrypt](https://download.libsodium.org/doc/password_hashing/)

Tarballs and pre-compiled binaries can be found [here](https://bitbucket.org/danielrangel/rsign/downloads/)

Compilation / Installation
--------------------------

Dependencies:
* [libsodium](http://doc.libsodium.org/)

Make sure you have libsodium in your default lib path before compiling rsign.

Compilation:

    $ git clone https://danielrangel@bitbucket.org/danielrangel/rsign.git
    $ cd rsign
    $ cargo build --release


Usage
----------------

    $ rsign generate

Generates a new key pair. The public key is printed in the screen and stored in `rsign.pub` by default. The secret key will be written at `~/.rsign/rsign.key`. You can change the default paths with `-p` and `-s` respectively. 

    $ rsign sign myfile.txt

Sign `myfile.txt` with your secret key. You can add a signed trusted comment with:

    $ rsign sign myfile.txt -t "my trusted comment"

If you are signing files larger than 1Gb you must use `-H` to first hash the file and sign the hash after that:

    $ rsign sign mylargefile.bin -H

And to verify the signature with a given public key you can use:

    $ rsign verify myfile.txt -p rsign.pub

Or if you have saved the signature file with a custom name other than `myfile.txt.rsign` and want to use a public key string you can use:

    $ rsign verify myfile.txt -P [PUBLIC KEY STRING] -x mysignature.file    

You can find more information using the help subcommand as in:

    $ rsign help [SUBCOMMAND]

    USAGE:
        rsign [SUBCOMMAND]
    
    FLAGS:
        -h, --help       Prints help information
        -V, --version    Prints version information
    
    SUBCOMMANDS:
        generate    Generate public and private keys
        help        Prints this message or the help of the given subcommand(s)
        sign        Sign a file with a given private key
        verify      Verify a signed file with a given public key