5 releases (3 breaking)

0.4.0	Jan 6, 2026
0.3.0	Jan 4, 2026
0.2.0	Jan 4, 2026
0.1.3	Jan 3, 2026
0.1.2	Jan 2, 2026

#700 in Cryptography

Used in signify-rs

ISC license

155KB
3.5K SLoC

libsignify-rs - OpenBSD-compatible file signing & verification library

A Rust library for cryptographically signing and verifying files using the Ed25519-based format defined by OpenBSD's signify utility.

Usage

This crate exports a Builder-based API for ergonomic use in Rust applications.

use std::fs;
use std::path::Path;

use libsignify_rs::{KeyGenerator, Signer, Verifier};

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let key_pub = Path::new("key.pub");
    let key_sec = Path::new("key.sec");
    let msg_file = Path::new("message.txt");
    let sig_file = Path::new("message.txt.sig");

    // Generate a new key pair.
    KeyGenerator::new()
        .comment("Heavy is the root of light. Still is the master of moving.")
        .generate(key_pub, key_sec)?;

    // Create a file to sign.
    fs::write(msg_file, "Change return success. Going and coming without error. Action brings good fortune.")?;

    // Sign the file
    Signer::new()
        .seckey(key_sec)
        .sign(msg_file, sig_file)?;

    // Verify the signature.
    Verifier::new()
        .pubkey(key_pub)
        .verify(msg_file, sig_file)?;

    Ok(())
}

Usage with keyrings(7)

The Signify struct provides a high-level configuration interface. On Linux/Android, it supports kernel keyrings(7) integration for secure passphrase management.

use std::path::PathBuf;
use libsignify_rs::signify::{Mode, Signify};

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let key_pub = PathBuf::from("key.pub");
    let key_sec = PathBuf::from("key.sec");
    let msg_file = PathBuf::from("msg.txt");

    // 1. Generate Key Pair.
    let mut signify = Signify::default();
    signify.mode = Some(Mode::Generate);
    signify.pubkey = Some(key_pub.clone());
    signify.seckey = Some(key_sec.clone());
    signify.comment = Some("keyring-example".to_string());

    // On Linux/Android, setting key_id enables keyring integration.
    // The passphrase will be read from or stored in the kernel session keyring.
    signify.key_id = Some(1337);

    signify.execute()?;

    // 2. Sign a file.
    signify.mode = Some(Mode::Sign);
    signify.msg_file = Some(msg_file.clone());

    // Signature file path is automatically derived (msg.sig) if not set.
    signify.execute()?;

    // 3. Verify.
    signify.mode = Some(Mode::Verify);
    signify.quiet = true;
    signify.execute()?;

    Ok(())
}

Features

Strict Compatibility: Adheres strictly to the OpenBSD file format and verification logic.
Pure Rust: No unsafe code, no arithmetic side effects.
Keyring Support: On Linux/Android, integrates with kernel keyrings(7) for secure passphrase management.

ChangeLog

See ChangeLog.md

License

ISC. See COPYING.

Dependencies

~4–17MB
~180K SLoC

base64ct +alloc
bcrypt-pbkdf
data-encoding
ed25519-compact +self-verify
flate2
lexopt
memchr
rand_core 0.9+os_rng +std
rpassword
sha2
static_assertions
zeroize
zxcvbn 3.0 not wasm32 wasm64
capctl linux android
landlock 0.4 linux android
linux-keyutils linux android
capsicum freebsd
getrandom 0.3+wasm_js wasm32 wasm64 unknown
nix 0.30+fs +process +resource +term unix
password-strength wasm32 wasm64
pledge openbsd
unveil openbsd

dev proptest +std
dev tar
dev tempfile