1. Forum
  2. Newsgroups
  3. comp.security.misc

  • yubisigner v0.1.1 released

    From Stefan Claas@[email protected] to comp.security.misc,comp.security.unix on Tue Mar 10 19:26:28 2026
    From Newsgroup: comp.security.misc

    Hi all,

    if you are a software developer, software maintainer, or a person
    who often signs files, you may appreciate the release of yubisigner,
    which is a modern replacement for GnuPG and signify-openbsd detached signatures.

    For security reasons you need a YubiKey to sign a file, but for
    verification of signed files you don't need a YubiKey nor the
    public keys of authors, who signed files, with yubisigner, as they
    are already included in the signature.! :-)

    The advantage of yubisigner, compared to OpenPGP or signify-openbsd
    is that you can't fake the Comment: or untrusted-comment: headers,
    like you can do with those programs.

    A .sig file of yubisigner looks like this:

    Author: Ch1ffr3punk
    Signed at: 2026-03-10 17:04:52 +0000
    Filename: yubisigner-windows-amd64.exe
    File size: 25783808 bytes
    Email: [email protected]
    Telefax: n/a
    URL: https://oc2mx.net
    Comment: Release v0.1.1
    RIPEMD-256: d802a088c5630f68938954d53d4598f22b013f6312dbb60df51610073011fbeb
    SHA-256: f0bed5fe9e6d39d9ae6d6f8bdc6dafc6e2e6d9e25fea6a2eac994c48751bfe04
    SM3: 72a5136ee9d45595d6dc6934c9f4b17082f8328d2ba49359c5355df024d8deee Streebog-256: 31c50403a17acb7ec4912acffb573dc0a3edaa3cf901d08f1d655591368d6c95 -----BEGIN YUBISIGNER ED25519 SIGNATURE----- 8a5f8adfec9690b8ae6ca95dc23811463fcce5bbba0d841f49b7d3f7a89ad149 c5d2c9dc1698cd93f22c4cb37c9122fbc529df810bafc2c3f3da1d4893df03ed 24ab15e151552fa4e6d42a6902eceef69a8a38523803a7208fdd8e7c57af3e03
    -----END YUBISIGNER ED25519 SIGNATURE-----

    yubisigner uses strict header verification and computes, prior
    signing, four international hashes (RIPEMD-256, SHA-256, SM3-256
    and Streebog-256, which are, as you can see, included in the
    detached signature.

    This has the advantage that people which are using only hashing
    utilities and not yubisigner can validate the hashes of an
    yubidigner signed file too.

    https://github.com/Ch1ffr3punk/yubisigner

    I hope you find yubisigner useful too!

    Regards
    Stefan
    --
    https://oc2mx.net
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Stefan Claas@[email protected] to comp.security.misc,comp.security.unix on Tue Mar 10 21:11:29 2026
    From Newsgroup: comp.security.misc

    Stefan Claas wrote:

    Hi all,

    if you are a software developer, software maintainer, or a person
    who often signs files, you may appreciate the release of yubisigner,
    which is a modern replacement for GnuPG and signify-openbsd detached signatures.

    For security reasons you need a YubiKey to sign a file, but for
    verification of signed files you don't need a YubiKey nor the
    public keys of authors, who signed files, with yubisigner, as they
    are already included in the signature.! :-)

    The advantage of yubisigner, compared to OpenPGP or signify-openbsd
    is that you can't fake the Comment: or untrusted-comment: headers,
    like you can do with those programs.

    A .sig file of yubisigner looks like this:

    Author: Ch1ffr3punk
    Signed at: 2026-03-10 17:04:52 +0000
    Filename: yubisigner-windows-amd64.exe
    File size: 25783808 bytes
    Email: [email protected]
    Telefax: n/a
    URL: https://oc2mx.net
    Comment: Release v0.1.1
    RIPEMD-256: d802a088c5630f68938954d53d4598f22b013f6312dbb60df51610073011fbeb
    SHA-256: f0bed5fe9e6d39d9ae6d6f8bdc6dafc6e2e6d9e25fea6a2eac994c48751bfe04
    SM3: 72a5136ee9d45595d6dc6934c9f4b17082f8328d2ba49359c5355df024d8deee
    Streebog-256: 31c50403a17acb7ec4912acffb573dc0a3edaa3cf901d08f1d655591368d6c95
    -----BEGIN YUBISIGNER ED25519 SIGNATURE----- 8a5f8adfec9690b8ae6ca95dc23811463fcce5bbba0d841f49b7d3f7a89ad149 c5d2c9dc1698cd93f22c4cb37c9122fbc529df810bafc2c3f3da1d4893df03ed 24ab15e151552fa4e6d42a6902eceef69a8a38523803a7208fdd8e7c57af3e03
    -----END YUBISIGNER ED25519 SIGNATURE-----

    yubisigner uses strict header verification and computes, prior
    signing, four international hashes (RIPEMD-256, SHA-256, SM3-256
    and Streebog-256, which are, as you can see, included in the
    detached signature.

    This has the advantage that people which are using only hashing
    utilities and not yubisigner can validate the hashes of an
    yubidigner signed file too.

    https://github.com/Ch1ffr3punk/yubisigner

    I hope you find yubisigner useful too!

    yubisigner-windows-amd64.exe.sig.ots 549 B
    Stamped SHA256 hash: 64ad6dfc45e8f1e87d354af69277c14f3422dded349cf4fe29389c11afad0ea6

    yubisigner-windows-amd64.exe.sig 827 B
    SHA256: 64ad6dfc45e8f1e87d354af69277c14f3422dded349cf4fe29389c11afad0ea6

    SUCCESS!

    Bitcoin block 940146 attests existence as of 2026-03-10 CET

    yubisigner.linux-amd64.sig.ots 584 B
    Stamped SHA256 hash: 6d3a3d7386d8171b8fb7cff14388ac85093a72da95979a6a184017b9c7d543b5

    yubisigner.linux-amd64.sig 821 B
    SHA256: 6d3a3d7386d8171b8fb7cff14388ac85093a72da95979a6a184017b9c7d543b5

    SUCCESS!

    Bitcoin block 940146 attests existence as of 2026-03-10 CET
    --
    https://oc2mx.net
    --- Synchronet 3.21d-Linux NewsLink 1.2