Minisign
Published on 2019-08-05 | Last modified on 2019-08-08
A little while back I read an interesting article on PGP, and how we really should stop using it. Not everyone agrees, but GnuPG already bothered me for quite some time. Even if there is a genuine need for a universal tool for "all things crypto", GnuPG, does not seem to be it. That being said, some proposals in the mentioned blog post recommend people to use (proprietary) centralized services to communicate. That is obviously far from ideal, but it really seems the only option for "normal" users at the moment. We are all waiting for secure, privacy friendly, decentralized and free software solutions that are also easy to use...
The solution for software signing, as mentioned in the post, is a great improvement over using PGP for this purpose!
The tool, Minisign, seems like the perfect tool! Small, modern algorithms, and easy to use! I was already a bit familiar with Signify, so it seemed only logical to start evaluating using Minisign for my own projects.
The problem was, that it was not yet available as a "ready to use" package in Fedora and CentOS / Red Hat Enterprise Linux, nor Debian, however, Debian has a port of signify. This is not ideal, so I got to work to solve that problem for Fedora and CentOS, hopefully contributing, in a small way, to make the use of Minisign more popular!
I created the package, put it up for review, and after it got reviewed and accepted, it is now a Fedora and CentOS (EPEL) package! I also requested a package for EPEL 8, so it can be used in CentOS 8, which should be released in the near future.
Installation
You can install Minisign on Fedora >= 30:
$ sudo dnf install minisign
On CentOS 7 you need to enable EPEL first, if you haven't done so already:
$ sudo yum install epel-release
$ sudo yum install minisign
The documentation of Minisign, on how to set it up, i.e. generate a key, and use it is straightforward, in no way comparable to the number of steps you have to walk through to set up and use GnuPG securely...
Software Packaging
An additional bonus is that because Minisign is now packaged for Fedora and CentOS, it can be used to verify source tarballs of software during the RPM build stage!
To use Minisign, similar to how to use
PGP,
in your RPM spec files, you can use the following in your spec file:
...
Source0: https://software.tuxed.net/php-jwt/files/php-jwt-%{version}.tar.xz
Source1: https://software.tuxed.net/php-jwt/files/php-jwt-%{version}.tar.xz.minisig
Source2: fkooman.minisign.pub
...
BuildRequires: minisign
...
%prep
/usr/bin/minisign -V -m %{SOURCE0} -x %{SOURCE1} -p %{SOURCE2}
...
Here, Source2 should be the Minisign public key file, i.e. minisign.pub
that is then added to the Fedora packaging (Git) repository directly, and not
fetched from the web during package build. The public key MUST be verified (out
of band) before it can be trusted. Ideally by establishing some trusted
communication channel with the signer of the source code.
Another step closer to a world without PGP! And maybe packaging Minisign is a first step in moving RPM package signatures to use Minisign as well!