minisign-verify

A small Rust crate to verify Minisign signatures.

Latest version: 0.2.5 registry icon
Maintenance score
49
Safety score
100
Popularity score
4
Check your open source dependency risks. Get immediate insight about security, stability and licensing risks.
Security
  Vulnerabilities
Version Suggest Low Medium High Critical
0.2.5 0 0 0 0 0
0.2.4 0 0 0 0 0
0.2.3 0 0 0 0 0
0.2.2 0 0 0 0 0
0.2.1 0 0 0 0 0
0.2.0 0 0 0 0 0
0.1.8 0 0 0 0 0
0.1.7 0 0 0 0 0
0.1.6 0 0 0 0 0
0.1.5 0 0 0 0 0
0.1.4 0 0 0 0 0
0.1.3 0 0 0 0 0
0.1.2 0 0 0 0 0
0.1.1 0 0 0 0 0
0.1.0 0 0 0 0 0

Stability
Latest release:

0.2.5 - This version may not be safe as it has not been updated for a long time. Find out if your coding project uses this component and get notified of any reported security vulnerabilities with Meterian-X Open Source Security Platform

Licensing

Maintain your licence declarations and avoid unwanted licences to protect your IP the way you intended.

MIT   -   MIT License

Not a wildcard

Not proprietary

OSI Compliant



minisign-verify

A small, zero-dependencies Rust crate to verify Minisign signatures.

API documentation

Features

  • Verify signatures for both standard and pre-hashed modes
  • Streaming verification for large files
  • No external dependencies
  • Simple, auditable code
  • Comprehensive error reporting

Basic Example

let public_key =
    PublicKey::from_base64("RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3")
        .expect("Unable to decode the public key");

let signature = Signature::decode(
    "untrusted comment: signature from minisign secret key
RWQf6LRCGA9i59SLOFxz6NxvASXDJeRtuZykwQepbDEGt87ig1BNpWaVWuNrm73YiIiJbq71Wi+dP9eKL8OC351vwIasSSbXxwA=
trusted comment: timestamp:1555779966\tfile:test
QtKMXWyYcwdpZAlPF7tE2ENJkRd1ujvKjlj1m9RtHTBnZPa5WKU5uWRs5GoP5M/VqE81QFuMKI5k/SfNQUaOAA==",
    ).expect("Unable to decode the signature");

let bin = b"test";
public_key.verify(&bin[..], &signature, false).expect("Signature didn't verify");

Loading from Files

use minisign_verify::{PublicKey, Signature};
use std::path::Path;

// Load a public key from a file
let public_key = PublicKey::from_file(Path::new("minisign.pub"))
    .expect("Unable to load the public key");

// Load a signature from a file
let signature = Signature::from_file(Path::new("file.sig"))
    .expect("Unable to load the signature");

// Load the file content to verify
let content = std::fs::read("file").expect("Unable to read the file");

// Verify the signature
public_key
    .verify(&content, &signature, false)
    .expect("Signature didn't verify");

Streaming Verification (for Large Files)

use minisign_verify::{PublicKey, Signature};
use std::fs::File;
use std::io::Read;
use std::path::Path;

// Load a public key and signature
let public_key = PublicKey::from_file(Path::new("minisign.pub"))
    .expect("Unable to load the public key");

let signature = Signature::from_file(Path::new("large_file.sig"))
    .expect("Unable to load the signature");

// Create a stream verifier
let mut verifier = public_key.verify_stream(&signature)
    .expect("Unable to create stream verifier");

// Process the file in chunks
let mut file = File::open("large_file").expect("Unable to open file");
let mut buffer = [0u8; 8192]; // 8KB buffer

loop {
    let bytes_read = file.read(&mut buffer).expect("Error reading file");
    if bytes_read == 0 {
        break; // End of file
    }

    verifier.update(&buffer[..bytes_read]);
}

// Verify the signature
verifier.finalize().expect("Signature verification failed");

Note that the streaming verification mode only works with pre-hashed signatures (the default in newer versions of Minisign).

Running Benchmarks

To run the benchmarks:

cargo +nightly bench

License

MIT