RubyGems - minisign - Versions diffs - 0.1.0 → 0.2.1 - Mend

minisign 0.1.0 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 90f8322a99590a021707a0f91aa959090352ed35571364ea536b298a03896f06
-  data.tar.gz: 63f0cbc1604e551fc16e5bc4cd0456cbb2818cb30994bdd0aedc109bbb7e3dae
+  metadata.gz: 007c98083c5c2f0343244efee9295ca3b9464c8b8edb59ca809e779ae7d0f76e
+  data.tar.gz: bdf21e444448429ee135d59ae7403646afd84b4df0724391563858763bec9a43
 SHA512:
-  metadata.gz: cf80345096982044eb942d0ddafaf9f1546006d543cff34b7ad424e962f930229a6241958627f2339d76a893dbcfb4b5266a88b056c98b3e491e1be7877ab66f
-  data.tar.gz: cbd7a29a71c353745fc6ffe95259368bf959c3418bfd32fae4cce1ede6baa1e449cf27bebc81410aacd2451d8284acd52448860a240d3ea4864ab53b3142f6a3
+  metadata.gz: b7db6eab732643303cb76aab37b8c31bd8efd349992c5dfedcd8a7c772936a6554f8382b05efc6c170bbfb970222024790096b5fa611884204cc94882a45338d
+  data.tar.gz: e635054fe989e5c76edadc0a16128b2c14b23e201949bda438b593c8671b2cc688df3729eff4733ef65e71a68caf137842ef9f060e6b0199746e92502f39026e

data/bin/minisign ADDED Viewed

@@ -0,0 +1,38 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+require 'io/console'
+require 'minisign'
+require 'optparse'
+Signal.trap('INT') { exit }
+options = {}
+op = OptionParser.new do |opts|
+  boolean_opts = %w[G R C W S V Q f q o]
+  argument_opts = %w[t m x s p]
+  boolean_opts.each do |o|
+    opts.on("-#{o}") do |boolean|
+      options[o.to_sym] = boolean
+    end
+  end
+  argument_opts.each do |o|
+    opts.on("-#{o}#{o.upcase}") do |value|
+      options[o.to_sym] = value
+    end
+  end
+end
+begin
+  op.parse!
+  raise OptionParser::InvalidOption if options.keys.empty?
+rescue OptionParser::InvalidOption
+  Minisign::CLI.usage
+  exit 1
+end
+Minisign::CLI.generate(options) if options[:G]
+Minisign::CLI.recreate(options) if options[:R]
+Minisign::CLI.change_password(options) if options[:C]
+Minisign::CLI.sign(options) if options[:S]
+Minisign::CLI.verify(options) if options[:V]

data/lib/minisign/cli.rb ADDED Viewed

@@ -0,0 +1,151 @@
+# frozen_string_literal: true
+require 'io/console'
+# rubocop:disable Metrics/ModuleLength
+module Minisign
+  # The command line interface.
+  # This module is _not_ intended for library usage and is subject to
+  # breaking changes.
+  module CLI
+    # rubocop:disable Metrics/AbcSize
+    # rubocop:disable Metrics/MethodLength
+    # rubocop:disable Metrics/CyclomaticComplexity
+    # Command line usage
+    def self.usage
+      puts 'Usage:'
+      puts 'minisign -G [-f] [-p pubkey_file] [-s seckey_file] [-W]'
+      puts 'minisign -R [-s seckey_file] [-p pubkey_file]'
+      puts 'minisign -C [-s seckey_file] [-W]'
+      puts 'minisign -S [-l] [-x sig_file] [-s seckey_file] [-c untrusted_comment]'
+      puts '            [-t trusted_comment] -m file [file ...]'
+      puts 'minisign -V [-H] [-x sig_file] [-p pubkey_file | -P pubkey] [-o] [-q] -m file'
+      puts ''
+      puts '-G                generate a new key pair'
+      puts '-R                recreate a public key file from a secret key file'
+      puts '-C                change/remove the password of the secret key'
+      puts '-S                sign files'
+      puts '-V                verify that a signature is valid for a given file'
+      puts '-m <file>         file to sign/verify'
+      puts '-o                combined with -V, output the file content after verification'
+      puts '-p <pubkey_file>  public key file (default: ./minisign.pub)'
+      puts '-P <pubkey>       public key, as a base64 string'
+      puts '-s <seckey_file>  secret key file (default: ~/.minisign/minisign.key)'
+      puts '-W                do not encrypt/decrypt the secret key with a password'
+      puts '-x <sigfile>      signature file (default: <file>.minisig)'
+      puts '-c <comment>      add a one-line untrusted comment'
+      puts '-t <comment>      add a one-line trusted comment'
+      puts '-q                quiet mode, suppress output'
+      puts '-Q                pretty quiet mode, only print the trusted comment'
+      puts '-f                force. Combined with -G, overwrite a previous key pair'
+      puts '-v                display version number'
+      puts ''
+      exit 1
+    end
+    def self.prompt
+      $stdin.tty? ? $stdin.noecho(&:gets).chomp : $stdin.gets.chomp
+    end
+    def self.prevent_overwrite!(file)
+      return unless File.exist? file
+      puts 'Key generation aborted:'
+      puts "#{file} already exists."
+      puts ''
+      puts 'If you really want to overwrite the existing key pair, add the -f switch to'
+      puts 'force this operation.'
+      exit 1
+    end
+    def self.generate(options)
+      secret_key = options[:s] || "#{Dir.home}/.minisign/minisign.key"
+      public_key = options[:p] || './minisign.pub'
+      prevent_overwrite!(public_key) unless options[:f]
+      prevent_overwrite!(secret_key) unless options[:f]
+      if options[:W]
+        keypair = Minisign::KeyPair.new
+        File.write(secret_key, keypair.private_key)
+        File.write(public_key, keypair.public_key)
+      else
+        print 'Password: '
+        password = prompt
+        print "\nPassword (one more time): "
+        password_confirmation = prompt
+        if password != password_confirmation
+          puts "\nPasswords don't match"
+          exit 1
+        end
+        print "\nDeriving a key from the password in order to encrypt the secret key..."
+        keypair = Minisign::KeyPair.new(password)
+        File.write(secret_key, keypair.private_key)
+        print " done\n"
+        puts "The secret key was saved as #{options[:s]} - Keep it secret!"
+        File.write(public_key, keypair.public_key)
+        puts "The public key was saved as #{options[:p]} - That one can be public."
+        pubkey = keypair.public_key.to_s.split("\n").pop
+        puts "minisign -Vm <file> -P #{pubkey}"
+      end
+    end
+    def self.recreate(options)
+      options[:s] ||= "#{Dir.home}/.minisign/minisign.key"
+      public_key = options[:p] || './minisign.pub'
+      File.write(public_key, private_key(options[:s]).public_key)
+    end
+    def self.change_password(options)
+      options[:s] ||= "#{Dir.home}/.minisign/minisign.key"
+      new_private_key = private_key(options[:s])
+      print 'New Password: '
+      new_password = options[:W] ? nil : prompt
+      new_private_key.change_password! new_password
+      File.write(options[:s], new_private_key)
+    end
+    def self.sign(options)
+      # TODO: multiple files
+      options[:x] ||= "#{options[:m]}.minisig"
+      options[:s] ||= "#{Dir.home}/.minisign/minisign.key"
+      signature = private_key(options[:s]).sign(options[:m], File.read(options[:m]), options[:t], options[:c])
+      File.write(options[:x], signature)
+    end
+    def self.verify(options)
+      options[:x] ||= "#{options[:m]}.minisig"
+      options[:p] ||= './minisign.pub'
+      options[:P] ||= File.read(options[:p])
+      public_key = Minisign::PublicKey.new(options[:P])
+      message = File.read(options[:m])
+      signature = Minisign::Signature.new(File.read(options[:x]))
+      begin
+        verification = public_key.verify(signature, message)
+      rescue Minisign::SignatureVerificationError => e
+        puts e.message
+        exit 1
+      end
+      return if options[:q]
+      return puts message if options[:o]
+      puts options[:Q] ? signature.trusted_comment : verification
+    end
+    def self.private_key(seckey_file)
+      seckey_file_contents = File.read(seckey_file)
+      begin
+        Minisign::PrivateKey.new(seckey_file_contents)
+      rescue Minisign::PasswordMissingError
+        print 'Password: '
+        Minisign::PrivateKey.new(seckey_file_contents, prompt)
+      end
+    end
+    # rubocop:enable Metrics/CyclomaticComplexity
+    # rubocop:enable Metrics/AbcSize
+    # rubocop:enable Metrics/MethodLength
+  end
+end
+# rubocop:enable Metrics/ModuleLength

data/lib/minisign/error.rb ADDED Viewed

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+module Minisign
+  class SignatureVerificationError < StandardError
+  end
+  class PasswordMissingError < StandardError
+  end
+  class PasswordIncorrectError < StandardError
+  end
+end

data/lib/minisign/key_pair.rb CHANGED Viewed

@@ -5,6 +5,10 @@ module Minisign
   class KeyPair
     include Minisign::Utils
+    # Create a new key pair
+    # @param password [String] The password used to encrypt the private key
+    # @example
+    #   Minisign::KeyPair.new("53cr3t P4s5w0rd")
     def initialize(password = nil)
       @password = password
       @key_id = SecureRandom.bytes(8)

data/lib/minisign/private_key.rb CHANGED Viewed

@@ -35,18 +35,19 @@ module Minisign
     #
     # @param filename [String] The filename to be used in the trusted comment section
     # @param message [String] The file's contents
-    # @param comment [String] An optional trusted comment to be included in the signature
+    # @param trusted_comment [String] An optional trusted comment to be included in the signature
+    # @param untrusted_comment [String] An optional untrusted comment
     # @return [Minisign::Signature]
-    def sign(filename, message, comment = nil)
+    def sign(filename, message, trusted_comment = nil, untrusted_comment = nil)
       signature = ed25519_signing_key.sign(blake2b512(message))
-      trusted_comment = comment || "timestamp:#{Time.now.to_i}\tfile:#{filename}\thashed"
+      trusted_comment ||= "timestamp:#{Time.now.to_i}\tfile:#{filename}\thashed"
+      untrusted_comment ||= 'signature from minisign secret key'
       global_signature = ed25519_signing_key.sign("#{signature}#{trusted_comment}")
       Minisign::Signature.new([
-        'untrusted comment: <arbitrary text>',
+        "untrusted comment: #{untrusted_comment}",
         Base64.strict_encode64("ED#{@key_id.pack('C*')}#{signature}"),
         "trusted comment: #{trusted_comment}",
-        Base64.strict_encode64(global_signature),
-        ''
+        "#{Base64.strict_encode64(global_signature)}\n"
       ].join("\n"))
     end
@@ -61,6 +62,14 @@ module Minisign
       "untrusted comment: #{@untrusted_comment}\n#{Base64.strict_encode64(data)}\n"
     end
+    # Change or remove a password
+    #
+    # @param new_password [String]
+    def change_password!(new_password)
+      @password = new_password
+      @bytes[2..3] = [0, 0] if new_password.nil? # kdf_algorithm
+    end
     private
     def signature_algorithm
@@ -81,8 +90,12 @@ module Minisign
     # @raise [RuntimeError] if the extracted public key does not match the derived public key
     def assert_valid_key!
-      raise 'Missing password for encrypted key' if kdf_algorithm.bytes.sum != 0 && @password.nil?
-      raise 'Wrong password for that key' if @ed25519_public_key_bytes != ed25519_signing_key.verify_key.to_bytes.bytes
+      if kdf_algorithm.bytes.sum != 0 && @password.nil?
+        raise Minisign::PasswordMissingError, 'Missing password for encrypted key'
+      end
+      return unless @ed25519_public_key_bytes != ed25519_signing_key.verify_key.to_bytes.bytes
+      raise Minisign::PasswordIncorrectError, 'Wrong password for that key'
     end
     def key_data(password, bytes)

data/lib/minisign/public_key.rb CHANGED Viewed

@@ -21,7 +21,7 @@ module Minisign
     #   public_key.key_id
     #   #=> "E86FECED695E8E0"
     def key_id
-      key_id_binary_string.bytes.map { |c| c.to_s(16) }.reverse.join.upcase
+      hex key_id_binary_string.bytes
     end
     # Verify a message's signature
@@ -29,17 +29,13 @@ module Minisign
     # @param signature [Minisign::Signature]
     # @param message [String] the content that was signed
     # @return [String] the trusted comment
-    # @raise Ed25519::VerifyError on invalid signatures
-    # @raise RuntimeError on tampered trusted comments
-    # @raise RuntimeError on mismatching key ids
+    # @raise Minisign::SignatureVerificationError on invalid signatures
+    # @raise Minisign::SignatureVerificationError on tampered trusted comments
+    # @raise Minisign::SignatureVerificationError on mismatching key ids
     def verify(signature, message)
       assert_matching_key_ids!(signature.key_id, key_id)
-      ed25519_verify_key.verify(signature.signature, blake2b512(message))
-      begin
-        ed25519_verify_key.verify(signature.trusted_comment_signature, signature.signature + signature.trusted_comment)
-      rescue Ed25519::VerifyError
-        raise 'Comment signature verification failed'
-      end
+      verify_message_signature(signature.signature, message)
+      verify_comment_signature(signature.trusted_comment_signature, signature.signature + signature.trusted_comment)
       "Signature and comment signature verified\nTrusted comment: #{signature.trusted_comment}"
     end
@@ -50,6 +46,18 @@ module Minisign
     private
+    def verify_comment_signature(signature, comment)
+      ed25519_verify_key.verify(signature, comment)
+    rescue Ed25519::VerifyError
+      raise Minisign::SignatureVerificationError, 'Comment signature verification failed'
+    end
+    def verify_message_signature(signature, message)
+      ed25519_verify_key.verify(signature, blake2b512(message))
+    rescue Ed25519::VerifyError
+      raise Minisign::SignatureVerificationError, 'Signature verification failed'
+    end
     def untrusted_comment
       if @lines.length == 1
         "minisign public key #{key_id}"
@@ -75,7 +83,10 @@ module Minisign
     end
     def assert_matching_key_ids!(key_id1, key_id2)
-      raise "Signature key id is #{key_id1}\nbut the key id in the public key is #{key_id2}" unless key_id1 == key_id2
+      return if key_id1 == key_id2
+      raise Minisign::SignatureVerificationError,
+            "Signature key id is #{key_id1}\nbut the key id in the public key is #{key_id2}"
     end
   end
 end

data/lib/minisign/signature.rb CHANGED Viewed

@@ -3,11 +3,13 @@
 module Minisign
   # Parse a .minisig file's contents
   class Signature
+    include Utils
     # @param str [String] The contents of the .minisig file
     # @example
     #   Minisign::Signature.new(File.read('test/example.txt.minisig'))
     def initialize(str)
       @lines = str.split("\n")
+      @decoded = Base64.strict_decode64(@lines[1])
     end
     # @return [String] the key id
@@ -15,7 +17,7 @@ module Minisign
     #   Minisign::Signature.new(File.read('test/example.txt.minisig')).key_id
     #   #=> "E86FECED695E8E0"
     def key_id
-      encoded_signature[2..9].bytes.map { |c| c.to_s(16) }.reverse.join.upcase
+      hex @decoded[2..9].bytes
     end
     # @return [String] the trusted comment
@@ -33,18 +35,12 @@ module Minisign
     # @return [String] the global signature
     def signature
-      encoded_signature[10..]
+      @decoded[10..]
     end
     # @return [String] The signature that can be written to a file
     def to_s
       "#{@lines.join("\n")}\n"
     end
-    private
-    def encoded_signature
-      Base64.decode64(@lines[1])
-    end
   end
 end

data/lib/minisign/utils.rb CHANGED Viewed

@@ -18,6 +18,11 @@ module Minisign
       end
     end
+    # @return [String] bytes as little endian hexadecimal
+    def hex(bytes)
+      bytes.map { |c| c.to_s(16) }.reverse.join.upcase
+    end
     # @return [String] the <kdf_output> used to xor the ed25519 keys
     def derive_key(password, kdf_salt, kdf_opslimit, kdf_memlimit)
       RbNaCl::PasswordHash.scrypt(

data/lib/minisign.rb CHANGED Viewed

@@ -4,8 +4,10 @@ require 'ed25519'
 require 'base64'
 require 'rbnacl'
+require 'minisign/cli'
 require 'minisign/utils'
 require 'minisign/public_key'
 require 'minisign/signature'
 require 'minisign/private_key'
 require 'minisign/key_pair'
+require 'minisign/error'

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: minisign
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.1
 platform: ruby
 authors:
 - Jesse Shawl
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-02-10 00:00:00.000000000 Z
+date: 2024-02-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ed25519
@@ -38,22 +38,30 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '7.1'
-description: Verify minisign signatures
+description: Create and verify minisign signatures
 email: jesse@jesse.sh
-executables: []
+executables:
+- minisign
 extensions: []
 extra_rdoc_files: []
 files:
+- bin/minisign
 - lib/minisign.rb
+- lib/minisign/cli.rb
+- lib/minisign/error.rb
 - lib/minisign/key_pair.rb
 - lib/minisign/private_key.rb
 - lib/minisign/public_key.rb
 - lib/minisign/signature.rb
 - lib/minisign/utils.rb
-homepage: https://rubygems.org/gems/minisign
+homepage: https://github.com/jshawl/minisign
 licenses:
 - MIT
 metadata:
+  bug_tracker_uri: https://github.com/jshawl/minisign/issues
+  changelog_uri: https://github.com/jshawl/minisign/blob/main/CHANGELOG.md
+  documentation_uri: https://www.rubydoc.info/gems/minisign/0.2.1
+  source_code_uri: https://github.com/jshawl/minisign/tree/v0.2.1
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []