/ 
Crypt-Sodium-XS-0.000021
/ pminisign
Security Advisories (2)
CVE-2025-15444 (2026-01-06)

Crypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodium libsodium <= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277  https://www.cve.org/CVERecord?id=CVE-2025-69277 . The libsodium vulnerability states: In atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. 0.000042 includes a version of libsodium updated to 1.0.20-stable, released January 3, 2026, which includes a fix for the vulnerability.

CVE-2026-30910 (2026-03-08)

Crypt::Sodium::XS versions through 0.001000 for Perl has potential integer overflows. Combined aead encryption, combined signature creation, and bin2hex functions do not check that output size will be less than SIZE_MAX, which could lead to integer wraparound causing an undersized output buffer. This can cause a crash in bin2hex and encryption algorithms other than aes256gcm. For aes256gcm encryption and signatures, an undersized buffer could lead to buffer overflow. Encountering this issue is unlikely as the message length would need to be very large. For bin2hex the input size would have to be > SIZE_MAX / 2 For aegis encryption the input size would need to be > SIZE_MAX - 32U For other encryption the input size would need to be > SIZE_MAX - 16U For signatures the input size would need to be > SIZE_MAX - 64U

NAME

pminisign -- perl implementation of minisign

SYNOPSIS

pminisign -G [-p pubkey] [-s seckey]

pminisign -S [-H] [-x sigfile] [-s seckey] [-c untrusted_comment] [-t trusted_comment] -m file [file ...]

pminisign -V [-x sigfile] [-p pubkeyfile | -P pubkey] [-o] [-q] -m file

pminisign -R -s seckey -p pubkeyfile

OPTIONS

These options control the actions of pminisign.

actions:
  -G: Generate a new key pair
  -S: Sign files
  -V: Verify that a signature is valid for a given file
  -R: Recreate a public key file from a secret key file

options:
  -m <file>: File to sign/verify
  -o: Combined with -V, output the file content after verification
  -p <pubkeyfile>: Public key file (default: ./minisign.pub)
  -P <pubkey>: Public key, as a base64 string
  -s <seckey>: Secret key file (default: ~/.minisign/minisign.key)
  -x <sigfile>: Signature file (default: <file>.minisig)
  -c <comment>: Add a one-line untrusted comment
  -t <comment>: Add a one-line trusted comment
  -T: Do not require (verifying) nor add (signing) trusted comment
  -l: Sign using the legacy format
  -q: Quiet mode, suppress output
  -H: Requires the input to be prehashed
  -Q: Pretty quiet mode, only print the trusted comment
  -f: Force. Combined with -G, overwrite a previous key pair
  -v: Display version number

DESCRIPTION

This tool and its documentation are ported to perl from minisign. It intends to be interoperable and bug-for-bug compatible.

Minisign is a dead simple tool to sign files and verify signatures using libsodium. This is a perl version of that command using Crypt::Sodium::XS.

It uses the highly secure Ed25519 public-key signature system.

EXAMPLES

NOTE: MINISIGN_CONFIG_DIR defaults to "$HOME/.minisign". the variable and default directory names are for compatibility with minisign.

Creating a key pair

pminisign -G

The public key is printed and put into the file specified by the -P <pubkeyfile> option, or $ENV{MINISIGN_CONFIG_DIR}/minisign.pub. The secret key is encrypted and saved as a file specified by the -s <seckey> option, or $ENV{MINISIGN_CONFIG_DIR}/minisign.key.

Signing files

$ pminisign -Sm myfile.txt
$ pminisign -Sm myfile.txt myfile2.txt *.c

Or to include a comment in the signature, that will be verified and displayed when verifying the file:

$ pminisign -Sm myfile.txt -t 'This comment will be signed as well'

The secret key is loaded from the file specified by the -x <seckeyfile> option, or ${MINISIGN_CONFIG_DIR}/minisign.key. The signature will be written to the file specified by the -x <sigfile> option, or to the input file path with .sig appended.

Verifying a file

$ pminisign -Vm myfile.txt -P <pubkey>

or

$ pminisign -Vm myfile.txt -p signature.pub

This requires the signature myfile.txt.minisig to be present in the same directory unless overriden with the -x <file> option. The public key can either reside in a file (./minisign.pub by default) or be directly specified on the command line.

NOTES

Signature files include an untrusted comment line that can be freely modified, even after signature creation.

They also include a second comment line, that cannot be modified without the secret key. Trusted comments can be used to add instructions or application-specific metadata (intended file name, timestamps, resource identifiers, version numbers to prevent downgrade attacks).

AUTHOR

Brad Barden <perlmodules@5c30.org>

COPYRIGHT & LICENSE

Minisign is developed by the author of libsodium. It is released under the ISC License. This script adopts the same license.

Copyright (c) 2022 Brad Barden

Copyright (c) 2015-2021 Frank Denis <j at pureftpd dot org>

Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.