1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
---
title: Minisign
published: 2019-08-05
modified: 2019-08-08
---
A little while back I read an interesting
[article](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) on PGP,
and how we really should stop using it. Not everyone agrees, but GnuPG already
bothered me for quite
[some](https://twitter.com/fkooman/status/888318029167284224)
[time](https://twitter.com/fkooman/status/874321200822071300). Even if there is
a genuine need for a universal tool for "all things crypto", GnuPG, does not
seem to be it. That being said, some proposals in the mentioned blog post
recommend people to use (proprietary) centralized services to communicate. That
is obviously far from ideal, but it really seems the only option for
"normal" users at the moment. We are all waiting for secure, privacy friendly,
decentralized and free software solutions that are also easy to use...
The solution for software signing, as mentioned in the post, _is_ a great
improvement over using PGP for this purpose!
The tool, [Minisign](https://github.com/jedisct1/minisign), seems like the
perfect tool! Small, modern algorithms, and easy to use! I was already a bit
familiar with [Signify](https://man.openbsd.org/OpenBSD-current/man1/signify.1),
so it seemed only logical to start evaluating using Minisign for my own
[projects](https://www.tuxed.net/fkooman/projects.html).
The problem was, that it was not yet available as a "ready to use" package in
[Fedora](https://getfedora.org/) and [CentOS](https://centos.org/) / Red Hat
Enterprise Linux, nor [Debian](https://www.debian.org/). This is not ideal, so
I got to work to solve that problem, at least for Fedora and CentOS, hopefully
contributing, in a small way, to make the use of Minisign more popular!
I created the package, put it up for
[review](https://bugzilla.redhat.com/show_bug.cgi?id=1730709), and after it got
reviewed and accepted, it is now a Fedora and CentOS (EPEL)
[package](https://apps.fedoraproject.org/packages/minisign)! I also
[requested](https://pagure.io/releng/fedora-scm-requests/issue/14777) a
[package](https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-b080204bb5)
for EPEL 8, so it can be used in
[CentOS 8](https://wiki.centos.org/About/Building_8), which should be released
in the near future.
### Installation
You can install Minisign on Fedora >= 30:
$ sudo dnf install minisign
On CentOS 7 you need to enable [EPEL](https://fedoraproject.org/wiki/EPEL)
first, if you haven't done so already:
$ sudo yum install epel-release
$ sudo yum install minisign
The [documentation](https://jedisct1.github.io/minisign/) of Minisign, on how
to set it up, i.e. generate a key, and use it is straightforward, in no way
comparable to the number of steps you have to walk through to set up and use
GnuPG securely...
### Software Packaging
An additional bonus is that because Minisign is now packaged for Fedora and
CentOS, it can be used to verify source tarballs of software during the RPM
build stage!
To use Minisign, similar to how to use
[PGP](https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification),
in your RPM spec files, you can use the following in your `spec` file:
...
Source0: https://software.tuxed.net/php-jwt/files/php-jwt-%{version}.tar.xz
Source1: https://software.tuxed.net/php-jwt/files/php-jwt-%{version}.tar.xz.minisig
Source2: fkooman.minisign.pub
...
BuildRequires: minisign
...
%prep
/usr/bin/minisign -V -m %{SOURCE0} -x %{SOURCE1} -p %{SOURCE2}
...
Here, `Source2` should be the Minisign public key file, i.e. `minisign.pub`
that is then added to the Fedora packaging (Git) repository directly, and not
fetched from the web during package build. The public key MUST be verified (out
of band) before it can be trusted. Ideally by establishing some trusted
communication channel with the signer of the source code.
Another step closer to a world without PGP! And maybe packaging Minisign is
a first step in moving RPM package signatures to use Minisign as well!
### Updates
* **2019-08-08**: link to EPEL 8 bodhi for Minisign package
|
