minisign 0.10 signature verification broken
infraweavers opened this issue · comments
Using the latest version of go-minisign, it is not possible to verify signatures created with minisign 0.10 - output is "Incompatible signature algorithm". minisign 0.9 signatures can be successfully verified, as can 0.10 signatures when signed with the 'legacy' option. Have tried generating a new keypair with 0.10 but that doesn't make any difference.
Make sure that you are using the current version of the code.
Looks like I didn't set a new tag, so if you are depending on the 0.1
tag, that may explain it.
I'm going to tag 0.2
.
Done :)
Hiya,
So we're using the latest version of the module, according to our go.mod
it is: github.com/jedisct1/go-minisign v0.0.0-20211008170404-d0c644b276f4
It seems that if it is signed with minisign -l
that it works however without that it doesn't.
We're just making a reproduction application and will upload it in a second.
We can't re-open the issue, however please find attached a reproduction of the problem:
broken-verification.zip
The password used for the minisign.key attached is Password
Command used to sign the file was:
minisign.exe -Sm testfile.txt -p minisign.pub -s minisign.key
This also broke https://github.com/minio/minio binary verification - thanks for the fix @jedisct1