tillitis · mchack-work · Feb 2, 2026 · Feb 2, 2026 · Feb 3, 2026 · Feb 3, 2026
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -26,9 +26,12 @@ jobs:
         run: |
           git config --global --add safe.directory "$GITHUB_WORKSPACE"
 
+      - name: tests
+        run: go test ./...
+
       - name: make
         run: make
-
+        
   reuse-compliance-check:
     runs-on: ubuntu-latest
     steps:

diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -15,18 +15,18 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v4
+      - uses: actions/checkout@v5
+      - uses: actions/setup-go@v6
         with:
-          go-version: '1.21'
+          go-version: stable
           cache: false
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v9
         with:
           # Require: The version of golangci-lint to use.
           # When `install-mode` is `binary` (default) the value can be v1.2 or v1.2.3 or `latest` to use the latest version.
           # When `install-mode` is `goinstall` the value can be v1.2.3, `latest`, or the hash of a commit.
-          version: v1.55.2
+          version: v2.4.0
 
           # Optional: working directory, useful for monorepos
           # working-directory: somedir

diff --git a/.golangci.yml b/.golangci.yml
@@ -1,34 +1,90 @@
+version: "2"
 linters:
-  presets:
-    # found in: golangci-lint help linters
-    - bugs
-    - comment
-    - complexity
-    - error
-    - format
-    - import
-    - metalinter
-    - module
-    - performance
-    - sql
-    # - style  # turned off, can be too much
-    - test
-    - unused
+  enable:
+    - asasalint
+    - asciicheck
+    - bidichk
+    - bodyclose
+    - contextcheck
+    - dupword
+    - durationcheck
+    - errchkjson
+    - errorlint
+    - exhaustive
+    - fatcontext
+    - gocheckcompilerdirectives
+    - gochecksumtype
+    - gocritic
+    - gocyclo
+    - godox
+    - gomoddirectives
+    - gomodguard
+    - gosec
+    - gosmopolitan
+    - loggercheck
+    - maintidx
+    - makezero
+    - misspell
+    - musttag
+    - nilerr
+    - nilnesserr
+    - noctx
+    - paralleltest
+    - perfsprint
+    - prealloc
+    - protogetter
+    - reassign
+    - recvcheck
+    - revive
+    - rowserrcheck
+    - spancheck
+    - sqlclosecheck
+    - testableexamples
+    - testifylint
+    - testpackage
+    - thelper
+    - tparallel
+    - unparam
+    - usetesting
+    - wrapcheck
+    - zerologlint
   disable:
     - cyclop
+    - depguard
+    - err113
+    - exhaustruct
     - funlen
     - gocognit
-    - nestif
-    - exhaustruct  # TODO? annoying for now
-    - goerr113  # TODO enable later
     - godot
-    - depguard
-
+    - nestif
+    - testpackage
+    - perfsprint
+  settings:
+    govet:
+      enable:
+        - shadow
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
 issues:
   max-issues-per-linter: 0
   max-same-issues: 0
-
-linters-settings:
-  govet:
-    enable:
-      - shadow
+formatters:
+  enable:
+    - gci
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
diff --git a/Makefile b/Makefile
@@ -42,6 +42,10 @@ reload-rules:
 	udevadm control --reload
 	udevadm trigger
 
+.PHONY: test
+test:
+	go test ./...
+
 podman:
 	podman run --arch=amd64 --rm --mount type=bind,source=$(CURDIR),target=/src -w /src -it ghcr.io/tillitis/tkey-builder:4 make -j
 

diff --git a/README.md b/README.md
@@ -14,6 +14,10 @@ See [Release notes](RELEASE.md).
 
 ## Usage
 
+You can specify the algorithm to use on the file before signing and
+verifying by specifying `-a/--alg algorithm`. The choices are "ed"
+(default, uses SHA-512) and "b2s" (BLAKE2s).
+
 Get a public key, possibly modifying the key pair by using a User
 Supplied Secret, and storing the public key in file `-p pubkey`.
 
@@ -29,7 +33,7 @@ to supply the public key file as well which `tkey-sign` will
 automatically verify that it's the expected public key.
 
 ```
-tkey-sign -S/--sign [-d/--port device] [-s speed] -m message
+tkey-sign -S/--sign [-d/--port device] [-s speed] -m message [-a/--alg algorithm]
 [--uss] [--uss-file secret-file] -p/--public pubkey [-x sig-file]
 ```
 
@@ -38,7 +42,7 @@ Signature is by default in `message.sig` but can be specified
 with `-x sigfile`. Doesn't need a connected TKey.
 
 ```
-tkey-sign -V/--verify -m message -p/--public pubkey [-x sigfile]
+tkey-sign -V/--verify -m message -p/--public pubkey [-x sigfile] [-a/--alg algorithm]
 ```
 
 Alternatively you can use OpenBSD's *signify(1)* to verify the
@@ -60,6 +64,7 @@ All examples either load the device app automatically or works with an
 already loaded device app.
 
 Store the public key in a file.
+
 ```
 $ tkey-sign -G -p key.pub
 ```

diff --git a/RELEASE.md b/RELEASE.md
@@ -1,5 +1,16 @@
 # Release notes
 
+## Upcoming release
+
+- Change to BSD2 license.
+
+- Follow REUSE specification.
+
+- Introduce package signify. Export Signify types to import and export
+  them to buffers and files.
+
+- Add support for BLAKE2s hashing.
+
 ## v1.0.1
 
 - Normalize line endings of user input when asked to overwrite a file.

diff --git a/cmd/tkey-sign/file.go b/cmd/tkey-sign/file.go