Code Signing

Blue Static products are signed with a digital signature, so that you can verify the contents of a download. This provides an additional level of security, in addition to accessing the site over HTTPS.

Ed25519

Starting in 2019, some software is signed with an an Ed25519 key. Unfortunately, most tools like OpenSSL do not yet support signature operations with such keys. With the upcoming OpenSSL 3.0, it is possible:

openssl pkeyutl -verify -pubin -inkey ed25519_pub.pem -sigfile file.zip.ed25519.sig -rawin -in file.zip

The Ed25519 key is used because Sparkle requires it.

DSA

Software may also be signed with the original DSA key. Both signatures may be provided on downloads, because the tooling for Ed25519 is not mature enough yet.

To verify a download package’s DSA with OpenSSL:

openssl dgst -sha512 -verify dsa_pub.pem -signature file.zip.sha512dsa.sig file.zip

Cross-Sign

To verify the transition from DSA to Ed25519, this is a signed SHA-256 digest of the Ed25519 public key file (above) by the DSA private key:

MCwCFG8Boq4deUxPG4jGRxithgm2WNXiAhQQqJCehcoTdcsz34KKkgMzsjSeGg==