RubyGems - minisign - Versions diffs - 0.1.0 → 0.2.0 - Mend

minisign 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 90f8322a99590a021707a0f91aa959090352ed35571364ea536b298a03896f06
-  data.tar.gz: 63f0cbc1604e551fc16e5bc4cd0456cbb2818cb30994bdd0aedc109bbb7e3dae
+  metadata.gz: 59267c0797e4539c136803dd3ac5333f14384019bb211abb50c078b14d9cb1c8
+  data.tar.gz: 7771c5a5b4227d1030d78b60fa584ed5158270a568617cc4ac7f4760230ef1d1
 SHA512:
-  metadata.gz: cf80345096982044eb942d0ddafaf9f1546006d543cff34b7ad424e962f930229a6241958627f2339d76a893dbcfb4b5266a88b056c98b3e491e1be7877ab66f
-  data.tar.gz: cbd7a29a71c353745fc6ffe95259368bf959c3418bfd32fae4cce1ede6baa1e449cf27bebc81410aacd2451d8284acd52448860a240d3ea4864ab53b3142f6a3
+  metadata.gz: 6a713e970fb762efaaabcd4572ea664d69cf5d558aa1219b3a27daf4c1fe4c111e98d0a4d90f4cc9892f0ec776b102bd0ab081d498a05a29639b0668a3decaa1
+  data.tar.gz: 603bb8180811b3923c1b5782e76d049fefe125ed5338f164dd0ed787d26ffae251932f6b67eea7ef6a15aaddd1076725a44fa397902eb8ea56c80f134dc77923

data/bin/minisign ADDED Viewed

@@ -0,0 +1,38 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+require 'io/console'
+require 'minisign'
+require 'optparse'
+Signal.trap('INT') { exit }
+options = {}
+op = OptionParser.new do |opts|
+  boolean_opts = %w[G R C W S V Q f q o]
+  argument_opts = %w[t m x s p]
+  boolean_opts.each do |o|
+    opts.on("-#{o}") do |boolean|
+      options[o.to_sym] = boolean
+    end
+  end
+  argument_opts.each do |o|
+    opts.on("-#{o}#{o.upcase}") do |value|
+      options[o.to_sym] = value
+    end
+  end
+end
+begin
+  op.parse!
+  raise OptionParser::InvalidOption if options.keys.empty?
+rescue OptionParser::InvalidOption
+  Minisign::CLI.usage
+  exit 1
+end
+Minisign::CLI.generate(options) if options[:G]
+Minisign::CLI.recreate(options) if options[:R]
+Minisign::CLI.change_password(options) if options[:C]
+Minisign::CLI.sign(options) if options[:S]
+Minisign::CLI.verify(options) if options[:V]

data/lib/minisign/cli.rb ADDED Viewed

@@ -0,0 +1,159 @@
+# frozen_string_literal: true
+require 'io/console'
+# rubocop:disable Metrics/ModuleLength
+module Minisign
+  # The command line interface.
+  # This module is _not_ intended for library usage and is subject to
+  # breaking changes.
+  module CLI
+    # rubocop:disable Metrics/AbcSize
+    # rubocop:disable Metrics/MethodLength
+    # rubocop:disable Metrics/CyclomaticComplexity
+    # Command line usage
+    def self.usage
+      puts 'Usage:'
+      puts 'minisign -G [-f] [-p pubkey_file] [-s seckey_file] [-W]'
+      puts 'minisign -R [-s seckey_file] [-p pubkey_file]'
+      puts 'minisign -C [-s seckey_file] [-W]'
+      puts 'minisign -S [-l] [-x sig_file] [-s seckey_file] [-c untrusted_comment]'
+      puts '            [-t trusted_comment] -m file [file ...]'
+      puts 'minisign -V [-H] [-x sig_file] [-p pubkey_file | -P pubkey] [-o] [-q] -m file'
+      puts ''
+      puts '-G                generate a new key pair'
+      puts '-R                recreate a public key file from a secret key file'
+      puts '-C                change/remove the password of the secret key'
+      puts '-S                sign files'
+      puts '-V                verify that a signature is valid for a given file'
+      puts '-m <file>         file to sign/verify'
+      puts '-o                combined with -V, output the file content after verification'
+      puts '-p <pubkey_file>  public key file (default: ./minisign.pub)'
+      puts '-P <pubkey>       public key, as a base64 string'
+      puts '-s <seckey_file>  secret key file (default: ~/.minisign/minisign.key)'
+      puts '-W                do not encrypt/decrypt the secret key with a password'
+      puts '-x <sigfile>      signature file (default: <file>.minisig)'
+      puts '-c <comment>      add a one-line untrusted comment'
+      puts '-t <comment>      add a one-line trusted comment'
+      puts '-q                quiet mode, suppress output'
+      puts '-Q                pretty quiet mode, only print the trusted comment'
+      puts '-f                force. Combined with -G, overwrite a previous key pair'
+      puts '-v                display version number'
+      puts ''
+    end
+    def self.prompt
+      $stdin.tty? ? $stdin.noecho(&:gets).chomp : $stdin.gets.chomp
+    end
+    def self.prevent_overwrite!(file)
+      return unless File.exist? file
+      puts 'Key generation aborted:'
+      puts "#{file} already exists."
+      puts ''
+      puts 'If you really want to overwrite the existing key pair, add the -f switch to'
+      puts 'force this operation.'
+      exit 1
+    end
+    def self.generate(options)
+      secret_key = options[:s] || "#{Dir.home}/.minisign/minisign.key"
+      public_key = options[:p] || './minisign.pub'
+      prevent_overwrite!(public_key) unless options[:f]
+      prevent_overwrite!(secret_key) unless options[:f]
+      if options[:W]
+        keypair = Minisign::KeyPair.new
+        File.write(secret_key, keypair.private_key)
+        File.write(public_key, keypair.public_key)
+      else
+        print 'Password: '
+        password = prompt
+        print "\nPassword (one more time): "
+        password_confirmation = prompt
+        if password != password_confirmation
+          puts "\nPasswords don't match"
+          exit 1
+        end
+        print "\nDeriving a key from the password in order to encrypt the secret key..."
+        keypair = Minisign::KeyPair.new(password)
+        File.write(secret_key, keypair.private_key)
+        print " done\n"
+        puts "The secret key was saved as #{options[:s]} - Keep it secret!"
+        File.write(public_key, keypair.public_key)
+        puts "The public key was saved as #{options[:p]} - That one can be public."
+        pubkey = keypair.public_key.to_s.split("\n").pop
+        puts "minisign -Vm <file> -P #{pubkey}"
+      end
+    end
+    def self.recreate(options)
+      secret_key = options[:s] || "#{Dir.home}/.minisign/minisign.key"
+      public_key = options[:p] || './minisign.pub'
+      private_key_contents = File.read(secret_key)
+      begin
+        # try without a password first
+        private_key = Minisign::PrivateKey.new(private_key_contents)
+      rescue Minisign::PasswordMissingError
+        print 'Password: '
+        private_key = Minisign::PrivateKey.new(private_key_contents, prompt)
+      end
+      File.write(public_key, private_key.public_key)
+    end
+    def self.change_password(options)
+      options[:s] ||= "#{Dir.home}/.minisign/minisign.key"
+      private_key = begin
+        Minisign::PrivateKey.new(File.read(options[:s]))
+      rescue Minisign::PasswordMissingError
+        print 'Password: '
+        Minisign::PrivateKey.new(File.read(options[:s]), prompt)
+      end
+      print 'New Password: '
+      new_password = options[:W] ? nil : prompt
+      private_key.change_password! new_password
+      File.write(options[:s], private_key)
+    end
+    def self.sign(options)
+      # TODO: multiple files
+      options[:x] ||= "#{options[:m]}.minisig"
+      options[:s] ||= "#{Dir.home}/.minisign/minisign.key"
+      private_key = begin
+        Minisign::PrivateKey.new(File.read(options[:s]))
+      rescue Minisign::PasswordMissingError
+        print 'Password: '
+        Minisign::PrivateKey.new(File.read(options[:s]), prompt)
+      end
+      signature = private_key.sign(options[:m], File.read(options[:m]), options[:t], options[:c])
+      File.write(options[:x], signature)
+    end
+    def self.verify(options)
+      options[:x] ||= "#{options[:m]}.minisig"
+      options[:p] ||= './minisign.pub'
+      options[:P] ||= File.read(options[:p])
+      public_key = Minisign::PublicKey.new(options[:P])
+      message = File.read(options[:m])
+      signature = Minisign::Signature.new(File.read(options[:x]))
+      begin
+        verification = public_key.verify(signature, message)
+      rescue StandardError
+        puts 'Signature verification failed'
+        exit 1
+      end
+      return if options[:q]
+      return puts message if options[:o]
+      puts options[:Q] ? signature.trusted_comment : verification
+    end
+    # rubocop:enable Metrics/CyclomaticComplexity
+    # rubocop:enable Metrics/AbcSize
+    # rubocop:enable Metrics/MethodLength
+  end
+end
+# rubocop:enable Metrics/ModuleLength

data/lib/minisign/error.rb ADDED Viewed

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+module Minisign
+  class SignatureVerificationError < StandardError
+  end
+  class PasswordMissingError < StandardError
+  end
+  class PasswordIncorrectError < StandardError
+  end
+end

data/lib/minisign/key_pair.rb CHANGED Viewed

@@ -5,6 +5,10 @@ module Minisign
   class KeyPair
     include Minisign::Utils
+    # Create a new key pair
+    # @param password [String] The password used to encrypt the private key
+    # @example
+    #   Minisign::KeyPair.new("53cr3t P4s5w0rd")
     def initialize(password = nil)
       @password = password
       @key_id = SecureRandom.bytes(8)

data/lib/minisign/private_key.rb CHANGED Viewed

@@ -35,18 +35,19 @@ module Minisign
     #
     # @param filename [String] The filename to be used in the trusted comment section
     # @param message [String] The file's contents
-    # @param comment [String] An optional trusted comment to be included in the signature
+    # @param trusted_comment [String] An optional trusted comment to be included in the signature
+    # @param untrusted_comment [String] An optional untrusted comment
     # @return [Minisign::Signature]
-    def sign(filename, message, comment = nil)
+    def sign(filename, message, trusted_comment = nil, untrusted_comment = nil)
       signature = ed25519_signing_key.sign(blake2b512(message))
-      trusted_comment = comment || "timestamp:#{Time.now.to_i}\tfile:#{filename}\thashed"
+      trusted_comment ||= "timestamp:#{Time.now.to_i}\tfile:#{filename}\thashed"
+      untrusted_comment ||= 'signature from minisign secret key'
       global_signature = ed25519_signing_key.sign("#{signature}#{trusted_comment}")
       Minisign::Signature.new([
-        'untrusted comment: <arbitrary text>',
+        "untrusted comment: #{untrusted_comment}",
         Base64.strict_encode64("ED#{@key_id.pack('C*')}#{signature}"),
         "trusted comment: #{trusted_comment}",
-        Base64.strict_encode64(global_signature),
-        ''
+        "#{Base64.strict_encode64(global_signature)}\n"
       ].join("\n"))
     end
@@ -61,6 +62,14 @@ module Minisign
       "untrusted comment: #{@untrusted_comment}\n#{Base64.strict_encode64(data)}\n"
     end
+    # Change or remove a password
+    #
+    # @param new_password [String]
+    def change_password!(new_password)
+      @password = new_password
+      @bytes[2..3] = [0, 0] if new_password.nil? # kdf_algorithm
+    end
     private
     def signature_algorithm
@@ -81,8 +90,12 @@ module Minisign
     # @raise [RuntimeError] if the extracted public key does not match the derived public key
     def assert_valid_key!
-      raise 'Missing password for encrypted key' if kdf_algorithm.bytes.sum != 0 && @password.nil?
-      raise 'Wrong password for that key' if @ed25519_public_key_bytes != ed25519_signing_key.verify_key.to_bytes.bytes
+      if kdf_algorithm.bytes.sum != 0 && @password.nil?
+        raise Minisign::PasswordMissingError, 'Missing password for encrypted key'
+      end
+      return unless @ed25519_public_key_bytes != ed25519_signing_key.verify_key.to_bytes.bytes
+      raise Minisign::PasswordIncorrectError, 'Wrong password for that key'
     end
     def key_data(password, bytes)

data/lib/minisign/public_key.rb CHANGED Viewed

@@ -34,12 +34,8 @@ module Minisign
     # @raise RuntimeError on mismatching key ids
     def verify(signature, message)
       assert_matching_key_ids!(signature.key_id, key_id)
-      ed25519_verify_key.verify(signature.signature, blake2b512(message))
-      begin
-        ed25519_verify_key.verify(signature.trusted_comment_signature, signature.signature + signature.trusted_comment)
-      rescue Ed25519::VerifyError
-        raise 'Comment signature verification failed'
-      end
+      verify_message_signature(signature.signature, message)
+      verify_comment_signature(signature.trusted_comment_signature, signature.signature + signature.trusted_comment)
       "Signature and comment signature verified\nTrusted comment: #{signature.trusted_comment}"
     end
@@ -50,6 +46,18 @@ module Minisign
     private
+    def verify_comment_signature(signature, comment)
+      ed25519_verify_key.verify(signature, comment)
+    rescue Ed25519::VerifyError
+      raise Minisign::SignatureVerificationError, 'Comment signature verification failed'
+    end
+    def verify_message_signature(signature, message)
+      ed25519_verify_key.verify(signature, blake2b512(message))
+    rescue Ed25519::VerifyError => e
+      raise Minisign::SignatureVerificationError, e
+    end
     def untrusted_comment
       if @lines.length == 1
         "minisign public key #{key_id}"
@@ -75,7 +83,10 @@ module Minisign
     end
     def assert_matching_key_ids!(key_id1, key_id2)
-      raise "Signature key id is #{key_id1}\nbut the key id in the public key is #{key_id2}" unless key_id1 == key_id2
+      return if key_id1 == key_id2
+      raise Minisign::SignatureVerificationError,
+            "Signature key id is #{key_id1}\nbut the key id in the public key is #{key_id2}"
     end
   end
 end

data/lib/minisign.rb CHANGED Viewed

@@ -4,8 +4,10 @@ require 'ed25519'
 require 'base64'
 require 'rbnacl'
+require 'minisign/cli'
 require 'minisign/utils'
 require 'minisign/public_key'
 require 'minisign/signature'
 require 'minisign/private_key'
 require 'minisign/key_pair'
+require 'minisign/error'

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: minisign
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Jesse Shawl
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-02-10 00:00:00.000000000 Z
+date: 2024-02-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ed25519
@@ -40,17 +40,21 @@ dependencies:
         version: '7.1'
 description: Verify minisign signatures
 email: jesse@jesse.sh
-executables: []
+executables:
+- minisign
 extensions: []
 extra_rdoc_files: []
 files:
+- bin/minisign
 - lib/minisign.rb
+- lib/minisign/cli.rb
+- lib/minisign/error.rb
 - lib/minisign/key_pair.rb
 - lib/minisign/private_key.rb
 - lib/minisign/public_key.rb
 - lib/minisign/signature.rb
 - lib/minisign/utils.rb
-homepage: https://rubygems.org/gems/minisign
+homepage: https://github.com/jshawl/minisign
 licenses:
 - MIT
 metadata: