Minisign Versions Save

• For non-interactive usage (CI/CD, etc), encryption of private keys can be disabled with the -W switch.
• A new command, -C was added to change passwords, or remove them (when combined with -W).

• Minisign can be compiled with Zig instead of cmake+make+a C toolchain
• Minimal VERIFY_ONLY versions can be built again
• Prehashing is now enabled by default, regardless of the input size. Support for non-prehashed signatures will eventually be removed
• Legacy signatures can be rejected with the addition of the -H flag
• Precompiled binaries for Win64, Linux and WebAssembly are now available.

• New option: -R to recover the public key from a secret key.
• minisign can now be compiled to WebAssembly.
• Error messages have been improved.
• Key derivation is now possible on devices with limited memory.
• Compilation on OpenWRT is now possible using cmake.
• A Docker image is now available.
• 64-bit Windows binaries have been added, and macOS binaries are notarized.

• Multiple files can now be signed at once.
• Support for HaikuOS was added.
• The command-line switch to use custom file names when generating key pairs didn't work properly; this has been fixed.

• The default location of the secret key was changed to ~/.minisign/minisign.key.
• Generating a new set of keys (-G) doesn't replace an existing key pair any more; the additional -f switch is required in order to force this operation.
• Improved error messages and Windows compatibility.
• A man page was added.

Support for pre-hashing (HashEdDSA) was added.

The -H command-line switch, in addition to -S, enables HashEdDSA signatures instead of the default, pure EdDSA signatures.

HashEdDSA signatures:

• Require very little memory to be generated and verified, even with huge files
• Are faster to generate and verify than pure EdDSA signatures
• Require Minisign >= 0.6. In particular, they are not compatible with OpenBSD signify tool.
• Would not remain secure against (improbable) collisions in the Blake2b-512 hash function.

PureEdDSA signatures (default):

• Require as much memory as the size of the file to sign
• Cannot be used with files whose size is over 1 Gb
• Are compatible with all Minisign versions, as well as OpenBSD signify.
• Would remain secure against (improbable) collisions in the Blake2b-512 hash function.

The return code is now 1 on verification/password error, and 2 for system errors.

Bug fix: -p and -V could not be used together. It has been fixed.

New option: -o, that can be combined with -V in order to send the content of the signed file to stdout after successful verification.

New switch: -Q, to display only the trusted comment (after verification)