Arcsign


Arcsign is a digital signature format based on Ed25519 signatures. The arcsign tool operates on signatures in the Arcsign format.

$ echo Hello world > message
$ perl -e 'print "\0" x 32' > secret-key
$ arcsign seal -k secret-key message
$ cat message
Hello world

----- ARCSIGN EXTENSION -----

----- ARCSIGN SIGNATURE -----
3b6a27bcceb6a42d62a3a8d02a6f0d73653215771de243a63ac048a18b59da29
146791e4f65e558430f32fc9c58b916d83303efcf79e423b9609dcbe5a3cf6c8
4890266bfa89b385276aefbe1a2a52d8f479ebbb11d262f80ab39a06fdf50b0f
$ 
$ arcsign unseal -K 3b6a27bcceb6a42d62a3a8d02a6f0d73653215771de243a63ac048a18b59da29 message
$ cat message
Hello world

The arcsign tool’s seal command appends an Arcsign-format seal to a file. An Arcsign seal consists of two parts: an extension section and a signature section.

The extension section allows additional metadata to be included. The message which is ultimately digitally signed is the concatenation of the original file contents and the extension section. The extension section is mandatory, even if it’s empty.

The signature section contains three lines of 64 hexadecimal digits each, encoding a total of 96 bytes. The first 32 bytes are the public key to use for checking the signature. The remaining 64 bytes are the cryptographic signature itself.

The unseal command verifies the signature, and if valid, removes the seal. Specifying the public key is required, so that users can’t blithely unseal messages without at least looking at the public key.

The user may optionally choose a message pre-hash. For example, using SHA-256 can greatly improve performance when signing and verifying long messages on 32-bit systems.

$ arcsign seal -h SHA-256 -k secret-key message
$ cat message
Hello world

----- ARCSIGN EXTENSION -----
Hash: SHA-256

----- ARCSIGN SIGNATURE -----
3b6a27bcceb6a42d62a3a8d02a6f0d73653215771de243a63ac048a18b59da29
29290e8deb9d54fd9f05bbc74d9c7eb2076670be875ad8de0f790a24c2dd4a4b
cadc35eb4bdec4c05acf09615115c0c4e5147858410300b31420b75d3962f80f

The only pre-hash defined by Arcsign is SHA-256, indicated by the exact string "SHA-256".

Arcsign has several important properties:

The arcsign tool is implemented in the V programming language. It’s currently used to protect downloads of MacRelix.