Componentpedia / Listings / minisign-verify

Last update: 21/04/2026

minisign-verify

A small Rust crate to verify Minisign signatures.

Latest version: 0.2.5 registry icon
Maintenance score
50
Safety score
100
Popularity score
71
Check your open source dependency risks. Get immediate insight about security, stability and licensing risks.
De-risk your app now
Security
  Vulnerabilities
Version Suggest Low Medium High Critical
0.2.5 0 0 0 0 0
0.2.4 0 0 0 0 0
0.2.3 0 0 0 0 0
0.2.2 0 0 0 0 0
0.2.1 0 0 0 0 0
0.2.0 0 0 0 0 0
0.1.8 0 0 0 0 0
0.1.7 0 0 0 0 0
0.1.6 0 0 0 0 0
0.1.5 0 0 0 0 0
0.1.4 0 0 0 0 0
0.1.3 0 0 0 0 0
0.1.2 0 0 0 0 0
0.1.1 0 0 0 0 0
0.1.0 0 0 0 0 0

Stability
Latest release:

0.2.5 - This version is safe to use because it has no known security vulnerabilities at this time. Find out if your coding project uses this component and get notified of any reported security vulnerabilities with Meterian-X Open Source Security Platform

Licensing

Maintain your licence declarations and avoid unwanted licences to protect your IP the way you intended.

MIT   -   MIT License

Not a wildcard

Not proprietary

OSI Compliant

minisign-verify

A small, zero-dependencies Rust crate to verify Minisign signatures.

API documentation

Features

  • Verify signatures for both standard and pre-hashed modes
  • Streaming verification for large files
  • No external dependencies
  • Simple, auditable code
  • Comprehensive error reporting

Basic Example

let public_key =
    PublicKey::from_base64("RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3")
        .expect("Unable to decode the public key");

let signature = Signature::decode(
    "untrusted comment: signature from minisign secret key
RWQf6LRCGA9i59SLOFxz6NxvASXDJeRtuZykwQepbDEGt87ig1BNpWaVWuNrm73YiIiJbq71Wi+dP9eKL8OC351vwIasSSbXxwA=
trusted comment: timestamp:1555779966\tfile:test
QtKMXWyYcwdpZAlPF7tE2ENJkRd1ujvKjlj1m9RtHTBnZPa5WKU5uWRs5GoP5M/VqE81QFuMKI5k/SfNQUaOAA==",
    ).expect("Unable to decode the signature");

let bin = b"test";
public_key.verify(&bin[..], &signature, false).expect("Signature didn't verify");

Loading from Files

use minisign_verify::{PublicKey, Signature};
use std::path::Path;

// Load a public key from a file
let public_key = PublicKey::from_file(Path::new("minisign.pub"))
    .expect("Unable to load the public key");

// Load a signature from a file
let signature = Signature::from_file(Path::new("file.sig"))
    .expect("Unable to load the signature");

// Load the file content to verify
let content = std::fs::read("file").expect("Unable to read the file");

// Verify the signature
public_key
    .verify(&content, &signature, false)
    .expect("Signature didn't verify");

Streaming Verification (for Large Files)

use minisign_verify::{PublicKey, Signature};
use std::fs::File;
use std::io::Read;
use std::path::Path;

// Load a public key and signature
let public_key = PublicKey::from_file(Path::new("minisign.pub"))
    .expect("Unable to load the public key");

let signature = Signature::from_file(Path::new("large_file.sig"))
    .expect("Unable to load the signature");

// Create a stream verifier
let mut verifier = public_key.verify_stream(&signature)
    .expect("Unable to create stream verifier");

// Process the file in chunks
let mut file = File::open("large_file").expect("Unable to open file");
let mut buffer = [0u8; 8192]; // 8KB buffer

loop {
    let bytes_read = file.read(&mut buffer).expect("Error reading file");
    if bytes_read == 0 {
        break; // End of file
    }

    verifier.update(&buffer[..bytes_read]);
}

// Verify the signature
verifier.finalize().expect("Signature verification failed");

Note that the streaming verification mode only works with pre-hashed signatures (the default in newer versions of Minisign).

Running Benchmarks

To run the benchmarks:

cargo +nightly bench

License

MIT