aboutsummaryrefslogtreecommitdiffstats
path: root/posts/minisign.md
blob: 9fa7b4b8152cc8674debeeda2c1da526c799ff4e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
---
title: Minisign
published: 2019-08-05
modified: 2019-08-08
---

A little while back I read an interesting 
[article](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) on PGP, 
and how we really should stop using it. Not everyone agrees, but GnuPG already 
bothered me for quite 
[some](https://twitter.com/fkooman/status/888318029167284224) 
[time](https://twitter.com/fkooman/status/874321200822071300). Even if there is 
a genuine need for a universal tool for "all things crypto", GnuPG, does not 
seem to be it. That being said, some proposals in the mentioned blog post
recommend people to use (proprietary) centralized services to communicate. That 
is obviously far from ideal, but it really seems the only option for 
"normal" users at the moment. We are all waiting for secure, privacy friendly, 
decentralized and free software solutions that are also easy to use...

The solution for software signing, as mentioned in the post, _is_ a great 
improvement over using PGP for this purpose!

The tool, [Minisign](https://github.com/jedisct1/minisign), seems like the 
perfect tool! Small, modern algorithms, and easy to use! I was already a bit 
familiar with [Signify](https://man.openbsd.org/OpenBSD-current/man1/signify.1), 
so it seemed only logical to start evaluating using Minisign for my own 
[projects](https://www.tuxed.net/fkooman/projects.html).

The problem was, that it was not yet available as a "ready to use" package in 
[Fedora](https://getfedora.org/) and [CentOS](https://centos.org/) / Red Hat 
Enterprise Linux, nor [Debian](https://www.debian.org/). This is not ideal, so 
I got to work to solve that problem, at least for Fedora and CentOS, hopefully 
contributing, in a small way, to make the use of Minisign more popular!

I created the package, put it up for 
[review](https://bugzilla.redhat.com/show_bug.cgi?id=1730709), and after it got 
reviewed and accepted, it is now a Fedora and CentOS (EPEL) 
[package](https://apps.fedoraproject.org/packages/minisign)! I also 
[requested](https://pagure.io/releng/fedora-scm-requests/issue/14777) a 
[package](https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-b080204bb5) 
for EPEL 8, so it can be used in 
[CentOS 8](https://wiki.centos.org/About/Building_8), which should be released 
in the near future.

### Installation

You can install Minisign on Fedora >= 30:

    $ sudo dnf install minisign

On CentOS 7 you need to enable [EPEL](https://fedoraproject.org/wiki/EPEL) 
first, if you haven't done so already:

    $ sudo yum install epel-release
    $ sudo yum install minisign

The [documentation](https://jedisct1.github.io/minisign/) of Minisign, on how
to set it up, i.e. generate a key, and use it is straightforward, in no way 
comparable to the number of steps you have to walk through to set up and use 
GnuPG securely...

### Software Packaging

An additional bonus is that because Minisign is now packaged for Fedora and 
CentOS, it can be used to verify source tarballs of software during the RPM 
build stage!

To use Minisign, similar to how to use 
[PGP](https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification), 
in your RPM spec files, you can use the following in your `spec` file:

    ...

    Source0:        https://software.tuxed.net/php-jwt/files/php-jwt-%{version}.tar.xz
    Source1:        https://software.tuxed.net/php-jwt/files/php-jwt-%{version}.tar.xz.minisig
    Source2:        fkooman.minisign.pub
    ...

    BuildRequires:  minisign

    ...

    %prep
    /usr/bin/minisign -V -m %{SOURCE0} -x %{SOURCE1} -p %{SOURCE2}

    ...

Here, `Source2` should be the Minisign public key file, i.e. `minisign.pub` 
that is then added to the Fedora packaging (Git) repository directly, and not 
fetched from the web during package build. The public key MUST be verified (out 
of band) before it can be trusted. Ideally by establishing some trusted 
communication channel with the signer of the source code.

Another step closer to a world without PGP! And maybe packaging Minisign is 
a first step in moving RPM package signatures to use Minisign as well!

### Updates

* **2019-08-08**: link to EPEL 8 bodhi for Minisign package