signify is a free and open source tool developed by OpenBSD to generate and verify signatures.
"[2] This is in line with the project's longtime tendency to reduce complexity, and in turn, reduce the probability of vulnerabilities existing in the software, and help the user understand the software better and make more security-educated decisions.
signify is integrated into the base operating system and used for verification of all releases, patches, and packages starting with OpenBSD 5.5.
[7] The key and signature formats are prepended with an untrusted comment that can be manipulated and shouldn't be relied on.
Apart from the obvious usage in OpenBSD, other projects also use signify: In contrast, other Free Software operating systems and security-focused software tend to use OpenPGP for release verification, and as of 2024 continue to do so, including: Debian, a prominent operating system that's also used as a base for other operating systems, including Ubuntu;[10] Kali Linux, a specialized operating system for penetration testing, security research, digital forensics, and reverse engineering;[11] Qubes OS, a security-focused operating system;[12] Tor Browser, an anonymous Web browser;[13] SecureDrop, a software package for journalists and whistleblowers to exchange information securely and anonymously over the Internet;[14] and VeraCrypt, a software program for on-the-fly encryption and full disk encryption.