Sign with Signify

Day 6 in #100DaysToOffload

Introduction

Recently, Karan Goel posted a thread about a PGP-alternative for file encryption (that was not Veracrypt which is better suited for drives). He linked an article on why PGP should be phased out (and it should by the way). While we discussed file encryption in that thread, the article also mentioned signify, an awesome alternative to PGP signing.

Why?

I first found out about signify from GrapheneOS' installation guide. I had seen checksums and GPG keys, but never encountered signify. “Signify” did not produce many relevant results on DDG, but “signify-openbsd” did and led me to a paper on signify by Ted Unangst, one of the signify authors. Of course, he is promoting his own creation, but for good reason. I have already linked a few articles on PGP's problems, so I will only summarize. PGP tries to accomplish so much and is a pain to use. Someone who reads this will think to themselves, “I can use it without issue!” Congratulations, you are in the minority. Even then, unless those you use it with fall under the same camp, what is the point? For example, you want to use PGP for Email encryption. You might do everything perfectly, but if the other party screws up, your future (and past as PGP lacks forward secrecy) emails with them are compromised. That specific example is about secure communication, but the same principles apply for signatures and verification.

That complexity is exactly why GrapheneOS' lead developer, Daniel Micay, decided to use signify instead:

Usability (how “usable” depends on the users obviously) is required for security.

Install it

This blog post is not a full tutorial on how to use it (although I probably will write one in the future), but to properly convince you, I'll tell you how to install it.

Linux

If you use Linux, it of course depends on your distro:

Debian & Debian-based (Ubuntu, etc.)

Run:

sudo apt install signify-openbsd

The command is also then signify-openbsd.

Do not install the signify package on Debian and Debian-based distros, that is an unmaintained and unrelated tool.

Arch Linux

sudo pacman -S signify

Command is just signify

NixOS

nix-env -iA nixos.signify

OR

environment.systemPackages = with pkgs; [
     signify
   ];

Command is just signify

MacOS

A MacOS port was made, called signify-osx.

Link to the github page: https://github.com/jpouellet/signify-osx

You can install it through brew by:

brew install signify-osx

The last commit was from two years ago, however, and it seems to be dead. Much like the Windows version.

Windows

While a Windows Port has been made, the last update was five years ago. Suffice to say, the project is unmaintained. There is a solution: Minisign.

The MacOS and Windows Solution

Frank Denis created the tool minisign. There are important differences between the two, but public key and signature files are compatible with signify and vice-versa. That is, you can verify a signify signature and public key with minisign, and the reverse. Minisign is actively maintained, so I urge Windows and MacOS users (like myself) to use it instead (You can use it on Linux too, if you want). Find the installation instructions here:

https://github.com/jedisct1/minisign#compilation--installation

Conclusion

Instead of the all-in-one PGP solution, we should start to use different tools that serve specific purposes. For signing files, try to use signify/minisign instead. Plus, the keys are far shorter. Here is my public key (I'm on MacOS so it's a minisign one):

untrusted comment: minisign public key D3C1973108994552
RWRSRZkIMZfB0xnM46YX9cnlf+USFIJRKtX4Ff8rGdPLbEXy6LxxF0zQ

That's it, especially compared to one large PGP key, it is tiny. While for now you still need to be a tech-savvy user (You'll probably have a hard time getting your parents to figure it out), it is far more simple than PGP.