https://github.com/jedisct1/minisign
https://github.com/openbsd/src/tree/master/usr.bin/signify
https://github.com/aperezdc/signify

https://jedisct1.github.io/minisign/
https://www.openbsd.org/papers/bsdcan-signify.html
https://jedisct1.github.io/minisign/#signature-format

We need base64 tests
WE need parsing/writing tests

Keys are often stored in the users home directory. Keys will need an identifier
that is associated data. This identifier should be clearly visible when
signing/verifying

Security notes:
Keys currenclty live on the stack.
Maybe place them on the heap?
madvice dontdump, wipeonfork
Perhaps mapping SK is a bad idea
Catching signals
Base62? https://github.com/bitcoin/libbase58
https://gist.github.com/iso2022jp/4054241


In minisign, a private key contains
untrusted comment: minisign encrypted secret key

struct {
    version / algorithm tag
    key_id
    public_key
    (encrypted or plaintext) secret_key
    optional KDF + encryption metadata
    authentication tag
}

https://github.com/jedisct1/minisign/blob/master/src/minisign.h#L36

The version is used for algo matching
Key id is dropped into signatures

The public key:

struct minisign_public_key {
    uint8_t version;       // format version / algorithm
    uint8_t key_id[8];     // key fingerprint
    uint8_t public_key[32]; // Ed25519 public point
};

struct minisign_signature {
    uint8_t version;        // format / algorithm
    uint8_t key_id[8];      // which key produced this sig
    uint8_t signature[64];  // Ed25519 signature (R || S)
};

Private key: secret + public + metadata + optional encryption info

Public key: public + ID + algorithm (no secret, very simple)

Signature: signature + ID + algorithm (no secret, self-contained for verification

Privkey:

00000000: 4564 0000 4232 0000 0000 0000 0000 0000  Ed..B2..........
00000010: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000030: 0000 0000 0000 f623 c2f1 89ef bc42 4e41  .......#.....BNA
00000040: c7f6 fd03 fdbd 7acb 5979 768e 1a90 164b  ......z.Yyv....K
00000050: 0eef d163 f42d 57e1 8846 22c0 6e59 ba29  ...c.-W..F".nY.)
00000060: a7a7 867d 4f51 1532 e8ff fa68 9f5e 2ea8  ...}OQ.2...h.^..
00000070: ac1c 84a9 7a93 8983 9564 132c 063f 0000  ....z....d.,.?..
00000080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000090: 0000 0000 0000 0000 0000 0000 0000       ..............
00000000: ba7b 6bba cb5e                           .{k..^


Pubkey:

00000000: 4564 f623 c2f1 89ef bc42 ba29 a7a7 867d  Ed.#.....B.)...}
00000010: 4f51 1532 e8ff fa68 9f5e 2ea8 ac1c 84a9  OQ.2...h.^......
00000020: 7a93 8983 9564 132c 063f                 z....d.,.?

Minisign:

    Signature:
    untrusted comment: <arbitrary text>
    base64(<signature_algorithm, 2> || <key_id, 8> || <signature, 64>)
    trusted_comment: <arbitrary text>
    base64(<global_signature, 64>)

    Public Key:
    untrusted comment: <arbitrary text>
    base64(<signature_algorithm, 2> || <key_id, 8> || <public_key, 32>)

    Secret Key:
    untrusted comment: <arbitrary text>
    base64(<signature_algorithm, 2> || <kdf_algorithm, 2> || <cksum_algorithm, 2> ||
           <kdf_salt, 32> || <kdf_opslimit, ?> || <kdf_memlimit, ?> || <keynum_sk, 104>)


Sec:
untrusted comment: minisign encrypted secret key
RWQAAEIyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAddaAhpB4XPvy/lUXf2bpJUvQo1LrrtcgeYcvxp8aUaPJlgJOFDWo5TPJ10JvSF2tk1g3WZGIkfiHtPitqF2lkhAVCX2uuj3qAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

untrusted comment: <arbitrary text>
base64(<signature_algorithm> || <kdf_algorithm> || <cksum_algorithm> ||
       <kdf_salt> || <kdf_opslimit> || <kdf_memlimit> || <keynum_sk>)

Pub:
untrusted comment: minisign public key FB5C78908680D675
RWR11oCGkHhc+zPJ10JvSF2tk1g3WZGIkfiHtPitqF2lkhAVCX2uuj3q

untrusted comment: <arbitrary text>
base64(<signature_algorithm> || <key_id> || <public_key>)

Sig:
untrusted comment: signature from minisign secret key
RUT2I8Lxie+8QsQ29qphnGlS7VYyAA49H9ugw/HAg8XWl5CbD2yCIfpOnfN9NbMTBj3Uw6cRzLJQq3u1K2gN8jl6ptIvRykVpQI=
trusted comment: timestamp:1774023521	file:README	hashed
35miyR5Q9WyK83c3QX2SMOmj10it3UMcNwHQcuGoPgOkq2LnAGXvpjnlSW0HNMHWydEdTkZFI9/cnQls28hZBg==

untrusted comment: <arbitrary text>
base64(<signature_algorithm> || <key_id> || <signature>)
trusted_comment: <arbitrary text>
base64(<global_signature>)

OpenBSD's Signify:

Pub:
untrusted comment: signify public key
RWTSd5fN9eh6e0NOAkvLwfLMX038wqWjh9cqYrWvabsZmOo0XhWfQh0H

Sec:
untrusted comment: signify secret key
RWRCSwAAAAAuo5egM6AGfBSRjUf+V1/mtAQFR1omC3PSd5fN9eh6e2Yd0EfKcpvl2kF9c0WUWZZLMt76OMxJ+bvtG1Bivkc1Q04CS8vB8sxfTfzCpaOH1ypita9puxmY6jReFZ9CHQc=

Sig:
untrusted comment: verify with signify.pub
RWTSd5fN9eh6ez6FindZiW0rUUU2coa7Cgwo0q/W3eyDMT5xX/m3LK8Q6YB6XHwoQMwqYWHUFXIgwLgNwRqCOeat0aB+6gYuxgo=
