minisign 0.0.7 → 0.0.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8dd11c61143149fd612a6c08a084a4e5831ec66f860c6a706edea18fc53bec00
-  data.tar.gz: f7b6013996e7e72b35ad8c500e2bf5d24ebc2a9abe0d1d09bda86cfaca2d4ba8
+  metadata.gz: 5fff86c56cc4091b4517b01304262f097451c801847f4593d1bb99df4bef760f
+  data.tar.gz: 4c3ffd93d6dd729a25b6eabd9773d3a226e27c1066329972132d87ab5b5d49cc
 SHA512:
-  metadata.gz: 615740c7d8fde14c2de494b2f7f9d28ebfaff2cb583210e29ee18573b97180d2a3d1ff3631085cdb53803d35a08cd31d01457c321a45d6d8b684849bcf69cb08
-  data.tar.gz: d89f2cace36de94f4909420161a120888a929b3a097b00cbfa33e7081f7dcb15bacd93ca21be52df9f36009c5b3f1455b75dd49c29c99c3299d6130c8561a8b7
+  metadata.gz: 2bf06fbf6e88b3a003d5b62d245e8085f749a24a36022b66b4fa6d7f7901b5e2eececc0c107dd0ee1969cb4fa09dd28212695f401f1b8f4e5e2c8cc6adf85671
+  data.tar.gz: cf5da0f974244ea824bd8ffd5a3f41dd875eac858c213429918a1b0da1445b35a9a479ac8ed1131b33eaaab7ad609dd6cd6dc98852b2e29afff83cb389327acd

data/lib/minisign/private_key.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+module Minisign
+  # Parse ed25519 signing key from minisign private key
+  class PrivateKey
+    include Utils
+    attr_reader :signature_algorithm, :kdf_algorithm, :cksum_algorithm, :kdf_salt, :kdf_opslimit, :kdf_memlimit,
+                :key_id, :public_key, :secret_key, :checksum
+
+    # rubocop:disable Metrics/AbcSize
+    # rubocop:disable Layout/LineLength
+
+    # Parse signing information from the minisign private key
+    #
+    # @param str [String] The minisign private key
+    # @example
+    #   Minisign::PrivateKey.new('RWRTY0IyEf+yYa5eAX38PgdrI3TMxwy+3sgzpgcZWQXhOKqdf9sAAAACAAAAAAAAAEAAAAAAHe8Olzttgk6k5pZyT3CyCTcTAV0bLN3kq5CUqhLjqSdYZ6oEWs/S7ztaephS+/jwnuOElLBKkg3Sd56jzyvMwL4qStNUTyPDqckNjniw2SlowmHN8n5NnR47gvqjo96E+vakpw8v5PE=', 'password')
+    def initialize(str, password = nil)
+      contents = str.split("\n")
+      bytes = Base64.decode64(contents.last).bytes
+      @signature_algorithm, @kdf_algorithm, @cksum_algorithm =
+        [bytes[0..1], bytes[2..3], bytes[4..5]].map { |a| a.pack('U*') }
+      @kdf_salt = bytes[6..37]
+      @kdf_opslimit = bytes[38..45].pack('V*').unpack('N*').sum
+      @kdf_memlimit = bytes[46..53].pack('V*').unpack('N*').sum
+      kdf_output = derive_key(password, @kdf_salt, @kdf_opslimit, @kdf_memlimit)
+      @key_id, @secret_key, @public_key, @checksum = xor(kdf_output, bytes[54..157])
+    end
+    # rubocop:enable Layout/LineLength
+    # rubocop:enable Metrics/AbcSize
+
+    # @return [String] the <kdf_output> used to xor the ed25519 keys
+    def derive_key(password, kdf_salt, kdf_opslimit, kdf_memlimit)
+      RbNaCl::PasswordHash.scrypt(
+        password,
+        kdf_salt.pack('C*'),
+        kdf_opslimit,
+        kdf_memlimit,
+        104
+      ).bytes
+    end
+
+    # rubocop:disable Layout/LineLength
+
+    # @return [Array<32 bit unsigned ints>] the byte array containing the key id, the secret and public ed25519 keys, and the checksum
+    def xor(kdf_output, contents)
+      # rubocop:enable Layout/LineLength
+      xored = kdf_output.each_with_index.map do |b, i|
+        contents[i] ^ b
+      end
+      [xored[0..7], xored[8..39], xored[40..71], xored[72..103]]
+    end
+
+    # @return [Ed25519::SigningKey] the ed25519 signing key
+    def ed25519_signing_key
+      Ed25519::SigningKey.new(@secret_key.pack('C*'))
+    end
+
+    # @return [String] the signature in the .minisig format that can be written to a file.
+    def sign(filename, message)
+      signature = ed25519_signing_key.sign(blake2b512(message))
+      trusted_comment = "timestamp:#{Time.now.to_i}\tfile:#{filename}\thashed"
+      global_signature = ed25519_signing_key.sign("#{signature}#{trusted_comment}")
+      [
+        'untrusted comment: <arbitrary text>',
+        Base64.strict_encode64("ED#{@key_id.pack('C*')}#{signature}"),
+        "trusted comment: #{trusted_comment}",
+        Base64.strict_encode64(global_signature),
+        ''
+      ].join("\n")
+    end
+  end
+end

data/lib/minisign/public_key.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Minisign
+  # Parse ed25519 verify key from minisign public key
+  class PublicKey
+    include Utils
+    # Parse the ed25519 verify key from the minisign public key
+    #
+    # @param str [String] The minisign public key
+    # @example
+    #   Minisign::PublicKey.new('RWTg6JXWzv6GDtDphRQ/x7eg0LaWBcTxPZ7i49xEeiqXVcR+r79OZRWM')
+    def initialize(str)
+      @decoded = Base64.strict_decode64(str)
+      @public_key = @decoded[10..]
+      @verify_key = Ed25519::VerifyKey.new(@public_key)
+    end
+
+    # @return [String] the key id
+    # @example
+    #   Minisign::PublicKey.new('RWTg6JXWzv6GDtDphRQ/x7eg0LaWBcTxPZ7i49xEeiqXVcR+r79OZRWM').key_id
+    #   #=> "E86FECED695E8E0"
+    def key_id
+      @decoded[2..9].bytes.map { |c| c.to_s(16) }.reverse.join.upcase
+    end
+
+    # Verify a message's signature
+    #
+    # @param sig [Minisign::Signature]
+    # @param message [String] the content that was signed
+    # @return [String] the trusted comment
+    # @raise Ed25519::VerifyError on invalid signatures
+    # @raise RuntimeError on tampered trusted comments
+    def verify(sig, message)
+      ensure_matching_key_ids(sig.key_id, key_id)
+      @verify_key.verify(sig.signature, blake2b512(message))
+      begin
+        @verify_key.verify(sig.trusted_comment_signature, sig.signature + sig.trusted_comment)
+      rescue Ed25519::VerifyError
+        raise 'Comment signature verification failed'
+      end
+      "Signature and comment signature verified\nTrusted comment: #{sig.trusted_comment}"
+    end
+
+    private
+
+    def ensure_matching_key_ids(key_id1, key_id2)
+      raise "Signature key id is #{key_id1}\nbut the key id in the public key is #{key_id2}" unless key_id1 == key_id2
+    end
+  end
+end

data/lib/minisign/signature.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module Minisign
+  # Parse a .minisig file's contents
+  class Signature
+    # @param str [String] The contents of the .minisig file
+    # @example
+    #   Minisign::Signature.new(File.read('test/example.txt.minisig'))
+    def initialize(str)
+      @lines = str.split("\n")
+    end
+
+    # @return [String] the key id
+    # @example
+    #   Minisign::Signature.new(File.read('test/example.txt.minisig')).key_id
+    #   #=> "E86FECED695E8E0"
+    def key_id
+      encoded_signature[2..9].bytes.map { |c| c.to_s(16) }.reverse.join.upcase
+    end
+
+    # @return [String] the trusted comment
+    # @example
+    #   Minisign::Signature.new(File.read('test/example.txt.minisig')).trusted_comment
+    #   #=> "timestamp:1653934067\tfile:example.txt\thashed"
+    def trusted_comment
+      @lines[2].split('trusted comment: ')[1]
+    end
+
+    def trusted_comment_signature
+      Base64.decode64(@lines[3])
+    end
+
+    # @return [String] the signature
+    def signature
+      encoded_signature[10..]
+    end
+
+    private
+
+    def encoded_signature
+      Base64.decode64(@lines[1])
+    end
+  end
+end

data/lib/minisign/utils.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Minisign
+  # Helpers used in multiple classes
+  module Utils
+    def blake2b512(message)
+      OpenSSL::Digest.new('BLAKE2b512').digest(message)
+    end
+  end
+end

data/lib/minisign.rb

@@ -3,95 +3,9 @@
 require 'ed25519'
 require 'base64'
 require 'openssl'
+require 'rbnacl'
 
-# `minisign` is a rubygem for verifying {https://jedisct1.github.io/minisign minisign} signatures.
-# @author Jesse Shawl
-module Minisign
-  # Parse a .minisig file's contents
-  class Signature
-    # @param str [String] The contents of the .minisig file
-    # @example
-    #   Minisign::Signature.new(File.read('test/example.txt.minisig'))
-    def initialize(str)
-      @lines = str.split("\n")
-    end
-
-    # @return [String] the key id
-    # @example
-    #   Minisign::Signature.new(File.read('test/example.txt.minisig')).key_id
-    #   #=> "E86FECED695E8E0"
-    def key_id
-      encoded_signature[2..9].bytes.map { |c| c.to_s(16) }.reverse.join.upcase
-    end
-
-    # @return [String] the trusted comment
-    # @example
-    #   Minisign::Signature.new(File.read('test/example.txt.minisig')).trusted_comment
-    #   #=> "timestamp:1653934067\tfile:example.txt\thashed"
-    def trusted_comment
-      @lines[2].split('trusted comment: ')[1]
-    end
-
-    def trusted_comment_signature
-      Base64.decode64(@lines[3])
-    end
-
-    # @return [String] the signature
-    def signature
-      encoded_signature[10..]
-    end
-
-    private
-
-    def encoded_signature
-      Base64.decode64(@lines[1])
-    end
-  end
-
-  # Parse ed25519 verify key from minisign public key
-  class PublicKey
-    # Parse the ed25519 verify key from the minisign public key
-    #
-    # @param str [String] The minisign public key
-    # @example
-    #   Minisign::PublicKey.new('RWTg6JXWzv6GDtDphRQ/x7eg0LaWBcTxPZ7i49xEeiqXVcR+r79OZRWM')
-    def initialize(str)
-      @decoded = Base64.strict_decode64(str)
-      @public_key = @decoded[10..]
-      @verify_key = Ed25519::VerifyKey.new(@public_key)
-    end
-
-    # @return [String] the key id
-    # @example
-    #   Minisign::PublicKey.new('RWTg6JXWzv6GDtDphRQ/x7eg0LaWBcTxPZ7i49xEeiqXVcR+r79OZRWM').key_id
-    #   #=> "E86FECED695E8E0"
-    def key_id
-      @decoded[2..9].bytes.map { |c| c.to_s(16) }.reverse.join.upcase
-    end
-
-    # Verify a message's signature
-    #
-    # @param sig [Minisign::Signature]
-    # @param message [String] the content that was signed
-    # @return [String] the trusted comment
-    # @raise Ed25519::VerifyError on invalid signatures
-    # @raise RuntimeError on tampered trusted comments
-    def verify(sig, message)
-      blake = OpenSSL::Digest.new('BLAKE2b512')
-      ensure_matching_key_ids(sig.key_id, key_id)
-      @verify_key.verify(sig.signature, blake.digest(message))
-      begin
-        @verify_key.verify(sig.trusted_comment_signature, sig.signature + sig.trusted_comment)
-      rescue Ed25519::VerifyError
-        raise 'Comment signature verification failed'
-      end
-      "Signature and comment signature verified\nTrusted comment: #{sig.trusted_comment}"
-    end
-
-    private
-
-    def ensure_matching_key_ids(key_id1, key_id2)
-      raise "Signature key id is #{key_id1}\nbut the key id in the public key is #{key_id2}" unless key_id1 == key_id2
-    end
-  end
-end
+require 'minisign/utils'
+require 'minisign/public_key'
+require 'minisign/signature'
+require 'minisign/private_key'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: minisign
 version: !ruby/object:Gem::Version
-  version: 0.0.7
+  version: 0.0.8
 platform: ruby
 authors:
 - Jesse Shawl
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-06-22 00:00:00.000000000 Z
+date: 2024-02-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ed25519
@@ -24,6 +24,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rbnacl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.1'
 description: Verify minisign signatures
 email: jesse@jesse.sh
 executables: []
@@ -31,6 +45,10 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/minisign.rb
+- lib/minisign/private_key.rb
+- lib/minisign/public_key.rb
+- lib/minisign/signature.rb
+- lib/minisign/utils.rb
 homepage: https://rubygems.org/gems/minisign
 licenses:
 - MIT
@@ -44,14 +62,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.6.0
+      version: '2.7'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: Minisign, in Ruby!