minisign 0.10 signature verification broken

Question

minisign 0.10 signature verification broken

infraweavers opened this issue 3 years ago · comments

Codeweavers Infrastructure commented 3 years ago

Using the latest version of go-minisign, it is not possible to verify signatures created with minisign 0.10 - output is "Incompatible signature algorithm". minisign 0.9 signatures can be successfully verified, as can 0.10 signatures when signed with the 'legacy' option. Have tried generating a new keypair with 0.10 but that doesn't make any difference.

Frank Denis commented 3 years ago

Done :)

Frank Denis · Answer 1 · Thu Oct 28 2021 20:12:13 GMT+0800 (China Standard Time)

Make sure that you are using the current version of the code.

Looks like I didn't set a new tag, so if you are depending on the 0.1 tag, that may explain it.

I'm going to tag 0.2.

Codeweavers Infrastructure · Answer 2 · Thu Oct 28 2021 21:45:48 GMT+0800 (China Standard Time)

Hiya,

So we're using the latest version of the module, according to our go.mod it is: github.com/jedisct1/go-minisign v0.0.0-20211008170404-d0c644b276f4

It seems that if it is signed with minisign -l that it works however without that it doesn't.

We're just making a reproduction application and will upload it in a second.

Codeweavers Infrastructure · Answer 3 · Thu Oct 28 2021 22:10:38 GMT+0800 (China Standard Time)

We can't re-open the issue, however please find attached a reproduction of the problem:
broken-verification.zip

The password used for the minisign.key attached is Password

Command used to sign the file was:

minisign.exe -Sm testfile.txt -p minisign.pub -s minisign.key

Harshavardhana · Answer 4 · Thu Dec 16 2021 03:46:48 GMT+0800 (China Standard Time)

This also broke https://github.com/minio/minio binary verification - thanks for the fix @jedisct1