minisign / signify

signify and minisign are deliberately minimal tools for signing files and verifying those signatures. signify was written for OpenBSD to authenticate its releases and packages; minisign is a portable, lightweight tool that is signature-compatible with signify, so a key or signature made by one can be checked by the other. Both use the Ed25519 public-key signature system, which gives strong security with tiny 64-byte signatures and fast verification.

Why "small" is the point

PGP is powerful but sprawling, with a complex key model and many options. signify and minisign do one job: prove that a file came from the holder of a specific key and was not altered. There is no keyring, no web of trust to configure, and the public key is a single short line you can paste into a README. For verifying a wallet binary or miner firmware image, that simplicity removes whole categories of misconfiguration that can lead to accepting a bad download.

Trusted comments and anti-downgrade

minisign adds a trusted comment, signed metadata such as a version number or timestamp, that is verified along with the file. This lets a project bind a release to a version and helps defend against downgrade attacks where an attacker serves an older, vulnerable build.

These tools are part of the same verification toolkit as PGP / GPG, and they pair especially well with reproducible builds, where independent rebuilders sign the bit-for-bit identical output.