Sign with Signify
Day 6 in #100DaysToOffload
Recently, Karan Goel posted a thread about a PGP-alternative for file encryption (that was not Veracrypt which is better suited for drives). He linked an article on why PGP should be phased out (and it should by the way). While we discussed file encryption in that thread, the article also mentioned signify, an awesome alternative to PGP signing.
I first found out about signify from GrapheneOS' installation guide. I had seen checksums and GPG keys, but never encountered signify. “Signify” did not produce many relevant results on DDG, but “signify-openbsd” did and led me to a paper on signify by Ted Unangst, one of the signify authors. Of course, he is promoting his own creation, but for good reason. I have already linked a few articles on PGP's problems, so I will only summarize. PGP tries to accomplish so much and is a pain to use. Someone who reads this will think to themselves, “I can use it without issue!” Congratulations, you are in the minority. Even then, unless those you use it with fall under the same camp, what is the point? For example, you want to use PGP for Email encryption. You might do everything perfectly, but if the other party screws up, your future (and past as PGP lacks forward secrecy) emails with them are compromised. That specific example is about secure communication, but the same principles apply for signatures and verification.
That complexity is exactly why GrapheneOS' lead developer, Daniel Micay, decided to use signify instead:
It's overly complex with far too much attack surface and has egregiously bad usability and security. It's only suitable for usage as a case study in how not to design and implement software. Rather than changing the instructions to work around GPG deficiencies, it won't be used.— DanielMicay (@DanielMicay) June 30, 2019
Usability (how “usable” depends on the users obviously) is required for security.
This blog post is not a full tutorial on how to use it (although I probably will write one in the future), but to properly convince you, I'll tell you how to install it.
If you use Linux, it of course depends on your distro:
Debian & Debian-based (Ubuntu, etc.)
sudo apt install signify-openbsd
The command is also then
Do not install the
signify package on Debian and Debian-based distros, that is an unmaintained and unrelated tool.
sudo pacman -S signify
Command is just
nix-env -iA nixos.signify
environment.systemPackages = with pkgs; [ signify ];
Command is just
A MacOS port was made, called
Link to the github page: https://github.com/jpouellet/signify-osx
You can install it through brew by:
brew install signify-osx
The last commit was from two years ago, however, and it seems to be dead. Much like the Windows version.
While a Windows Port has been made, the last update was five years ago. Suffice to say, the project is unmaintained. There is a solution: Minisign.
The MacOS and Windows Solution
Frank Denis created the tool minisign. There are important differences between the two, but public key and signature files are compatible with signify and vice-versa. That is, you can verify a signify signature and public key with minisign, and the reverse. Minisign is actively maintained, so I urge Windows and MacOS users (like myself) to use it instead (You can use it on Linux too, if you want). Find the installation instructions here:
Instead of the all-in-one PGP solution, we should start to use different tools that serve specific purposes. For signing files, try to use signify/minisign instead. Plus, the keys are far shorter. Here is my public key (I'm on MacOS so it's a minisign one):
untrusted comment: minisign public key D3C1973108994552 RWRSRZkIMZfB0xnM46YX9cnlf+USFIJRKtX4Ff8rGdPLbEXy6LxxF0zQ
That's it, especially compared to one large PGP key, it is tiny. While for now you still need to be a tech-savvy user (You'll probably have a hard time getting your parents to figure it out), it is far more simple than PGP.