Add support for json file signing

Switch from portbase to structures lib, update build and version system
Bump version
2024-11-08 14:28:09 +01:00 · 2024-06-24 09:48:48 +02:00 · 2023-12-19 15:48:11 +01:00 · 2023-12-19 15:48:05 +01:00 · 2023-12-19 15:42:34 +01:00 · 2023-12-18 20:28:07 +01:00
55 changed files with 1863 additions and 498 deletions
--- a/.github/label-actions.yml
+++ b/.github/label-actions.yml
@ -0,0 +1,40 @@
+# Configuration for Label Actions - https://github.com/dessant/label-actions
+
+community support:
+  comment: |
+    Hey @{issue-author}, thank you for raising this issue with us.
+
+    After a first review we noticed that this does not seem to be a technical issue, but rather a configuration issue or general question about how Portmaster works.
+
+    Thus, we invite the community to help with configuration and/or answering this questions.
+
+    If you are in a hurry or haven't received an answer, a good place to ask is in [our Discord community](https://discord.gg/safing).
+
+    If your problem or question has been resolved or answered, please come back and give an update here for other users encountering the same and then close this issue.
+
+    If you are a paying subscriber and want this issue to be checked out by Safing, please send us a message [on Discord](https://discord.gg/safing) or [via Email](mailto:support@safing.io) with your username and the link to this issue, so we can prioritize accordingly.
+
+needs debug info:
+  comment: |
+    Hey @{issue-author}, thank you for raising this issue with us.
+
+    After a first review we noticed that we will require the Debug Info for further investigation. However, you haven't supplied any Debug Info in your report.
+
+    Please [collect Debug Info](https://wiki.safing.io/en/FAQ/DebugInfo) from Portmaster _while_ the reported issue is present.
+
+in/compatibility:
+  comment: |
+    Hey @{issue-author}, thank you for reporting on a compatibility.
+
+    We keep a list of compatible software and user provided guides for improving compatibility [in the wiki - please have a look there](https://wiki.safing.io/en/Portmaster/App/Compatibility).
+    If you can't find your software in the list, then a good starting point is our guide on [How do I make software compatible with Portmaster](https://wiki.safing.io/en/FAQ/MakeSoftwareCompatibleWithPortmaster).
+
+    If you have managed to establish compatibility with an application, please share your findings here. This will greatly help other users encountering the same issues.
+
+fixed:
+  comment: |
+    This issue has been fixed by the recently referenced commit or PR.
+
+    However, the fix is not released yet.
+    
+    It is expected to go into the [Beta Release Channel](https://wiki.safing.io/en/FAQ/SwitchReleaseChannel) for testing within the next two weeks and will be available for everyone within the next four weeks. While this is the typical timeline we work with, things are subject to change.
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -1,72 +0,0 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
-name: "CodeQL"
-
-on:
-  push:
-    branches: [ "master" ]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ "master" ]
-  schedule:
-    - cron: '38 16 * * 3'
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'go' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
-        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        
-        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-        # queries: security-extended,security-and-quality
-
-        
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-
-    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
-    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
-
-    # - run: |
-    #   echo "Run, Build Application using script"
-    #   ./location_of_script_within_repo/buildscript.sh
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@ -15,23 +15,24 @@ jobs:
    name: Linter
    runs-on: ubuntu-latest
    steps:
-    - name: Check out code into the Go module directory
+    - name: Check out code
      uses: actions/checkout@v3

-    - uses: actions/setup-go@v3
+    - name: Setup Go
+      uses: actions/setup-go@v4
      with:
        go-version: '^1.19'

+    - name: Get dependencies
+      run: go mod download
+
    - name: Run golangci-lint
      uses: golangci/golangci-lint-action@v3
      with:
-        version: v1.49.0
+        version: v1.52.2
        only-new-issues: true
        args: -c ./.golangci.yml --timeout 15m

-    - name: Get dependencies
-      run: go mod download
-
    - name: Run go vet
      run: go vet ./...

@ -43,7 +44,7 @@ jobs:
      uses: actions/checkout@v3

    - name: Setup Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
      with:
        go-version: '^1.19'

--- a/.github/workflows/issue-manager.yml
+++ b/.github/workflows/issue-manager.yml
@ -1,50 +0,0 @@
-name: Issue Manager
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "17 5 * * 1-5" # run at 5:17 on Monday to Friday
-  # We only use the issue manager for auto-closing, so we only need the cron trigger.
-  # issue_comment:
-  #   types:
-  #     - created
-  #     - edited
-  # issues:
-  #   types:
-  #     - labeled
-
-jobs:
-  issue-manager:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: tiangolo/issue-manager@0.4.0
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          config: >
-            {
-                "$schema": "https://raw.githubusercontent.com/tiangolo/issue-manager/master/schema.json",
-                "waiting for input": {
-                    "delay": "P30DT0H0M0S",
-                    "message": "Auto-closing this issue after waiting for input for a month. If anyone finds the time to provide the requested information, please re-open the issue and we will continue handling it.",
-                    "remove_label_on_comment": true,
-                    "remove_label_on_close": false
-                },
-                "waiting for fix confirmation": {
-                    "delay": "P30DT0H0M0S",
-                    "message": "Auto-closing this issue after waiting for a fix confirmation for a month. If anyone still experiences this issue, please re-open the issue with updated information so we can continue working on a fix.",
-                    "remove_label_on_comment": true,
-                    "remove_label_on_close": false
-                },
-                "waiting for release": {
-                    "delay": "P3650DT0H0M0S",
-                    "message": "That was 10 years ago, I think we can close this now.",
-                    "remove_label_on_comment": true,
-                    "remove_label_on_close": false
-                },
-                "waiting for resources": {
-                    "delay": "P3650DT0H0M0S",
-                    "message": "That was 10 years ago, I think we can close this now.",
-                    "remove_label_on_comment": true,
-                    "remove_label_on_close": false
-                }
-            }
--- a/.github/workflows/issues-first-greet.yml
+++ b/.github/workflows/issues-first-greet.yml
@ -0,0 +1,26 @@
+# This workflow responds to first time posters with a greeting message.
+# Docs: https://github.com/actions/first-interaction
+name: Greet New Users
+
+# This workflow is triggered when a new issue is created.
+on:
+  issues:
+    types: opened
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  greet:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/first-interaction@v1
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          # Respond to first time issue raisers.
+          issue-message: |
+            Greetings and welcome to our community! As this is the first issue you opened here, we wanted to share some useful infos with you:
+            
+            - 🗣️ Our community on [Discord](https://discord.gg/safing) is super helpful and active. We also have an AI-enabled support bot that knows Portmaster well and can give you immediate help.
+            - 📖 The [Wiki](https://wiki.safing.io/) answers all common questions and has many important details. If you can't find an answer there, let us know, so we can add anything that's missing.
--- a/.github/workflows/issues-label-actions.yml
+++ b/.github/workflows/issues-label-actions.yml
@ -0,0 +1,22 @@
+# This workflow responds with a message when certain labels are added to an issue or PR.
+# Docs: https://github.com/dessant/label-actions
+name: Label Actions
+
+# This workflow is triggered when a label is added to an issue.
+on:
+  issues:
+    types: labeled
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  action:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: dessant/label-actions@v3
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          config-path: ".github/label-actions.yml"
+          process-only: "issues"
--- a/.github/workflows/issues-stale.yml
+++ b/.github/workflows/issues-stale.yml
@ -0,0 +1,42 @@
+# This workflow warns and then closes stale issues and PRs.
+# Docs: https://github.com/actions/stale
+name: Close Stale Issues 
+
+on:
+  schedule:
+    - cron: "17 5 * * 1-5" # run at 5:17 (UTC) on Monday to Friday
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v8
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          # Increase max operations.
+          # When using GITHUB_TOKEN, the rate limit is 1,000 requests per hour per repository.
+          operations-per-run: 500
+          # Handle stale issues
+          stale-issue-label: 'stale'
+          # Exemptions
+          exempt-all-issue-assignees: true
+          exempt-issue-labels: 'support,dependencies,pinned,security'
+          # Mark as stale
+          days-before-issue-stale: 63 # 2 months / 9 weeks
+          stale-issue-message: |
+            This issue has been automatically marked as inactive because it has not had activity in the past two months.
+            
+            If no further activity occurs, this issue will be automatically closed in one week in order to increase our focus on active topics.
+          # Close
+          days-before-issue-close: 7 # 1 week
+          close-issue-message: |
+            This issue has been automatically closed because it has not had recent activity. Thank you for your contributions.
+
+            If the issue has not been resolved, you can [find more information in our Wiki](https://wiki.safing.io/) or [continue the conversation on our Discord](https://discord.gg/safing).
+          # TODO: Handle stale PRs
+          days-before-pr-stale: 36500 # 100 years - effectively disabled.
--- a/.golangci.yml
+++ b/.golangci.yml
@ -7,6 +7,7 @@ linters:
    - containedctx
    - contextcheck
    - cyclop
+    - depguard
    - exhaustivestruct
    - exhaustruct
    - forbidigo
@ -22,6 +23,7 @@ linters:
    - interfacer
    - ireturn
    - lll
+    - musttag
    - nestif
    - nilnil
    - nlreturn
--- a/cmd/build
+++ b/cmd/build
@ -1,61 +1,29 @@
 #!/bin/bash
+set -eo pipefail

 baseDir="$( cd "$(dirname "$0")" && pwd )"
 cd "$baseDir"

-# get build data
-if [[ "$BUILD_COMMIT" == "" ]]; then
-  BUILD_COMMIT=$(git describe --all --long --abbrev=99 --dirty 2>/dev/null)
-fi
-if [[ "$BUILD_USER" == "" ]]; then
-  BUILD_USER=$(id -un)
-fi
-if [[ "$BUILD_HOST" == "" ]]; then
-  BUILD_HOST=$(hostname)
-fi
-if [[ "$BUILD_DATE" == "" ]]; then
-  BUILD_DATE=$(date +%d.%m.%Y)
-fi
-if [[ "$BUILD_SOURCE" == "" ]]; then
-  BUILD_SOURCE=$(git remote -v | grep origin | cut -f2 | cut -d" " -f1 | head -n 1)
-fi
-if [[ "$BUILD_SOURCE" == "" ]]; then
-  BUILD_SOURCE=$(git remote -v | cut -f2 | cut -d" " -f1 | head -n 1)
-fi
-BUILD_BUILDOPTIONS=$(echo $* | sed "s/ /§/g")
-
-# check
-if [[ "$BUILD_COMMIT" == "" ]]; then
-  echo "could not automatically determine BUILD_COMMIT, please supply manually as environment variable."
-  exit 1
-fi
-if [[ "$BUILD_USER" == "" ]]; then
-  echo "could not automatically determine BUILD_USER, please supply manually as environment variable."
-  exit 1
-fi
-if [[ "$BUILD_HOST" == "" ]]; then
-  echo "could not automatically determine BUILD_HOST, please supply manually as environment variable."
-  exit 1
-fi
-if [[ "$BUILD_DATE" == "" ]]; then
-  echo "could not automatically determine BUILD_DATE, please supply manually as environment variable."
-  exit 1
-fi
-if [[ "$BUILD_SOURCE" == "" ]]; then
-  echo "could not automatically determine BUILD_SOURCE, please supply manually as environment variable."
-  exit 1
-fi
-
 echo "Please notice, that this build script includes metadata into the build."
 echo "This information is useful for debugging and license compliance."
 echo "Run the compiled binary with the version command to see the information included."

+# Get version.
+VERSION="$(git tag --points-at)" || true
+test -z "$VERSION" && DEV_VERSION="$(git describe --tags --first-parent --abbrev=0)" || true
+test -n "$DEV_VERSION" && VERSION="${DEV_VERSION}_dev_build"
+test -z "$VERSION" && VERSION="dev_build"
+BUILD_SOURCE=$( ( git remote -v | cut -f2 | cut -d" " -f1 | head -n 1 ) || echo "unknown" )
+BUILD_TIME=$(date -u "+%Y-%m-%dT%H:%M:%SZ" || echo "unknown")
+
+LDFLAGS="-X main.Version=${VERSION} -X main.BuildSource=${BUILD_SOURCE} -X main.BuildTime=${BUILD_TIME}"
+
 # build output name
 BIN_NAME="jess"
 if [[ "$GOOS" == "windows" ]]; then
  BIN_NAME="${BIN_NAME}.exe"
 fi

-# build
-BUILD_PATH="github.com/safing/portbase/info"
-go build -o "${BIN_NAME}" -ldflags "-X ${BUILD_PATH}.commit=${BUILD_COMMIT} -X ${BUILD_PATH}.buildOptions=${BUILD_BUILDOPTIONS} -X ${BUILD_PATH}.buildUser=${BUILD_USER} -X ${BUILD_PATH}.buildHost=${BUILD_HOST} -X ${BUILD_PATH}.buildDate=${BUILD_DATE} -X ${BUILD_PATH}.buildSource=${BUILD_SOURCE}" "$@"
+# Build.
+export CGO_ENABLED=0
+go build -o "${BIN_NAME}" -ldflags "$LDFLAGS" "$@"
--- a/cmd/cmd-checksum.go
+++ b/cmd/cmd-checksum.go
@ -0,0 +1,111 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/spf13/cobra"
+
+	"github.com/safing/jess/filesig"
+)
+
+func init() {
+	rootCmd.AddCommand(checksum)
+	checksum.AddCommand(checksumAdd)
+	checksum.AddCommand(checksumVerify)
+}
+
+var (
+	checksum = &cobra.Command{
+		Use:   "checksum",
+		Short: "add or verify embedded checksums",
+	}
+
+	checksumAddUsage = "usage: checksum add <file>"
+	checksumAdd      = &cobra.Command{
+		Use:   "add <file>",
+		Short: "add an embedded checksum to a file",
+		Long:  "add an embedded checksum to a file (support file types: txt, json, yaml)",
+		RunE:  handleChecksumAdd,
+	}
+
+	checksumVerifyUsage = "usage: checksum verify <file>"
+	checksumVerify      = &cobra.Command{
+		Use:   "verify <file>",
+		Short: "verify the embedded checksum of a file",
+		Long:  "verify the embedded checksum of a file (support file types: txt, json, yaml)",
+		RunE:  handleChecksumVerify,
+	}
+)
+
+func handleChecksumAdd(cmd *cobra.Command, args []string) error {
+	// Check args.
+	if len(args) != 1 {
+		return errors.New(checksumAddUsage)
+	}
+	filename := args[0]
+
+	data, err := os.ReadFile(filename)
+	if err != nil {
+		return fmt.Errorf("failed to read file: %w", err)
+	}
+
+	switch filepath.Ext(filename) {
+	case ".json":
+		data, err = filesig.AddJSONChecksum(data)
+	case ".yml", ".yaml":
+		data, err = filesig.AddYAMLChecksum(data, filesig.TextPlacementAfterComment)
+	case ".txt":
+		data, err = filesig.AddTextFileChecksum(data, "#", filesig.TextPlacementAfterComment)
+	default:
+		return errors.New("unsupported file format")
+	}
+	if err != nil {
+		return err
+	}
+
+	// Write back to disk.
+	fileInfo, err := os.Stat(filename)
+	if err != nil {
+		return fmt.Errorf("failed to stat file: %w", err)
+	}
+	err = os.WriteFile(filename, data, fileInfo.Mode().Perm())
+	if err != nil {
+		return fmt.Errorf("failed to write back file with checksum: %w", err)
+	}
+
+	fmt.Println("checksum added")
+	return nil
+}
+
+func handleChecksumVerify(cmd *cobra.Command, args []string) error {
+	// Check args.
+	if len(args) != 1 {
+		return errors.New(checksumVerifyUsage)
+	}
+	filename := args[0]
+
+	data, err := os.ReadFile(filename)
+	if err != nil {
+		return fmt.Errorf("failed to read file: %w", err)
+	}
+
+	switch filepath.Ext(filename) {
+	case ".json":
+		err = filesig.VerifyJSONChecksum(data)
+	case ".yml", ".yaml":
+		err = filesig.VerifyYAMLChecksum(data)
+	case ".txt":
+		err = filesig.VerifyTextFileChecksum(data, "#")
+	default:
+		return errors.New("unsupported file format")
+	}
+	if err != nil {
+		return err
+	}
+
+	fmt.Println("checksum verified")
+	return nil
+}
--- a/cmd/cmd-open.go
+++ b/cmd/cmd-open.go
@ -11,7 +11,7 @@ import (
 	"github.com/spf13/cobra"

 	"github.com/safing/jess"
-	"github.com/safing/portbase/container"
+	"github.com/safing/structures/container"
 )

 func init() {
--- a/cmd/cmd-verify.go
+++ b/cmd/cmd-verify.go
@ -13,7 +13,7 @@ import (

 	"github.com/safing/jess"
 	"github.com/safing/jess/filesig"
-	"github.com/safing/portbase/container"
+	"github.com/safing/structures/container"
 )

 func init() {
--- a/cmd/cmd-version.go
+++ b/cmd/cmd-version.go
@ -2,20 +2,85 @@ package main

 import (
 	"fmt"
+	"runtime"
+	"runtime/debug"
+	"strings"

 	"github.com/spf13/cobra"
-
-	"github.com/safing/portbase/info"
 )

 func init() {
 	rootCmd.AddCommand(versionCmd)
 }

-var versionCmd = &cobra.Command{
-	Use:   "version",
-	Short: "print version information",
-	Run: func(cmd *cobra.Command, args []string) {
-		fmt.Println(info.FullVersion())
-	},
+var (
+	// Version is the version of this command.
+	Version = "dev build"
+	// BuildSource holds the primary source repo used to build.
+	BuildSource = "unknown"
+	// BuildTime holds the time when the binary was built.
+	BuildTime = "unknown"
+)
+
+func init() {
+	// Convert version string space placeholders.
+	Version = strings.ReplaceAll(Version, "_", " ")
+	BuildSource = strings.ReplaceAll(BuildSource, "_", " ")
+	BuildTime = strings.ReplaceAll(BuildTime, "_", " ")
+
+	// Get build info.
+	buildInfo, _ := debug.ReadBuildInfo()
+	buildSettings := make(map[string]string)
+	for _, setting := range buildInfo.Settings {
+		buildSettings[setting.Key] = setting.Value
+	}
+
+	// Add "dev build" to version if repo is dirty.
+	if buildSettings["vcs.modified"] == "true" &&
+		!strings.HasSuffix(Version, "dev build") {
+		Version += " dev build"
+	}
+
+	rootCmd.AddCommand(versionCmd)
+}
+
+var versionCmd = &cobra.Command{
+	Use: "version",
+	Run: version,
+}
+
+func version(cmd *cobra.Command, args []string) {
+	builder := new(strings.Builder)
+
+	// Get build info.
+	buildInfo, _ := debug.ReadBuildInfo()
+	buildSettings := make(map[string]string)
+	for _, setting := range buildInfo.Settings {
+		buildSettings[setting.Key] = setting.Value
+	}
+
+	// Print version info.
+	builder.WriteString(fmt.Sprintf("Jess %s\n", Version))
+
+	// Build info.
+	cgoInfo := "-cgo"
+	if buildSettings["CGO_ENABLED"] == "1" {
+		cgoInfo = "+cgo"
+	}
+	builder.WriteString(fmt.Sprintf("\nbuilt with %s (%s %s) for %s/%s\n", runtime.Version(), runtime.Compiler, cgoInfo, runtime.GOOS, runtime.GOARCH))
+	builder.WriteString(fmt.Sprintf("  at %s\n", BuildTime))
+
+	// Commit info.
+	dirtyInfo := "clean"
+	if buildSettings["vcs.modified"] == "true" {
+		dirtyInfo = "dirty"
+	}
+	builder.WriteString(fmt.Sprintf("\ncommit %s (%s)\n", buildSettings["vcs.revision"], dirtyInfo))
+	builder.WriteString(fmt.Sprintf("  at %s\n", buildSettings["vcs.time"]))
+	builder.WriteString(fmt.Sprintf("  from %s\n", BuildSource))
+
+	// License info.
+	builder.WriteString("\nLicensed under the GPLv3 license.")
+
+	_, _ = fmt.Println(builder.String())
 }
--- a/cmd/main.go
+++ b/cmd/main.go
@ -2,7 +2,6 @@ package main

 import (
 	"errors"
-	"fmt"
 	"os"

 	"github.com/spf13/cobra"
@ -10,7 +9,6 @@ import (
 	"github.com/safing/jess"
 	_ "github.com/safing/jess/tools/all"
 	"github.com/safing/jess/truststores"
-	"github.com/safing/portbase/info"
 )

 const (
@ -41,14 +39,6 @@ var (
 )

 func main() {
-	info.Set("jess", "0.3.1", "GPLv3", true)
-
-	err := info.CheckVersion()
-	if err != nil {
-		fmt.Println(err)
-		os.Exit(1)
-	}
-
 	rootCmd.PersistentFlags().StringVarP(&trustStoreDir, "tsdir", "d", "",
 		"specify a truststore directory (default loaded from JESS_TS_DIR env variable)",
 	)
@ -62,8 +52,7 @@ func main() {
 	rootCmd.PersistentFlags().IntVarP(&minimumSecurityLevel, "seclevel", "s", 0, "specify a minimum security level")
 	rootCmd.PersistentFlags().IntVarP(&defaultSymmetricKeySize, "symkeysize", "k", 0, "specify a default symmetric key size (only applies in certain conditions, use when prompted)")

-	err = rootCmd.Execute()
-	if err != nil {
+	if rootCmd.Execute() != nil {
 		os.Exit(1)
 	}
 	os.Exit(0)
--- a/core-wire_test.go
+++ b/core-wire_test.go
@ -5,7 +5,7 @@ import (
 	"testing"
 	"time"

-	"github.com/safing/portbase/container"
+	"github.com/safing/structures/container"
 )

 func TestWire(t *testing.T) {
--- a/core.go
+++ b/core.go
@ -5,7 +5,7 @@ import (
 	"errors"
 	"fmt"

-	"github.com/safing/portbase/container"
+	"github.com/safing/structures/container"
 )

 // Close encrypts (and possibly signs) the given data and returns a Letter. Storyline: Close takes an envelope, inserts the message and closes it, resulting in a letter.
@ -304,7 +304,7 @@ func (s *Session) Open(letter *Letter) ([]byte, error) { //nolint:gocognit,gocyc
 	for i := len(s.integratedCiphers) - 1; i >= 0; i-- {
 		data, err = s.integratedCiphers[i].AuthenticatedDecrypt(data, associatedData)
 		if err != nil {
-			return nil, fmt.Errorf("%w: [%s] %s", ErrIntegrityViolation, s.integratedCiphers[i].Info().Name, err)
+			return nil, fmt.Errorf("%w: [%s] %w", ErrIntegrityViolation, s.integratedCiphers[i].Info().Name, err)
 		}
 	}

@ -312,7 +312,7 @@ func (s *Session) Open(letter *Letter) ([]byte, error) { //nolint:gocognit,gocyc
 	for i := len(s.ciphers) - 1; i >= 0; i-- {
 		data, err = s.ciphers[i].Decrypt(data)
 		if err != nil {
-			return nil, fmt.Errorf("%w: decryption failed: [%s] %s", ErrIntegrityViolation, s.ciphers[i].Info().Name, err)
+			return nil, fmt.Errorf("%w: decryption failed: [%s] %w", ErrIntegrityViolation, s.ciphers[i].Info().Name, err)
 		}
 	}

--- a/core_test.go
+++ b/core_test.go
@ -19,7 +19,7 @@ const (
 	Qui voluptates quod omnis rerum. Soluta dolore quia eius quo similique accusamus. Quisquam fugiat sed voluptatibus eos earum sed. Numquam quia at commodi aut esse ducimus enim.
 	Enim nihil architecto architecto. Reprehenderit at assumenda labore. Et ut sed ut inventore tenetur autem. Iusto et neque ab dolores eum. Praesentium amet sint ut voluptate impedit sit.
 	A accusantium ullam voluptatibus. Adipisci architecto minus dolore tenetur eos. Id illum quo neque laborum numquam laborum animi libero.
-	Debitis voluptatem non aut ex. Et et quis qui aut aut fugit accusantium. Est dolor quia accusantium culpa.
+	Debitis voluptatem non aut ex. Et et quis qui aut fugit accusantium. Est dolor quia accusantium culpa.
 	Facere iste dolor a qui. Earum aut facilis maxime repudiandae magnam. Laborum illum distinctio quo libero corrupti maxime. Eum nam officiis culpa nobis.
 	Et repellat qui ut quaerat error explicabo. Distinctio repudiandae sit dolores nam at. Suscipit aliquam alias ullam id.`

--- a/envelope.go
+++ b/envelope.go
@ -6,7 +6,7 @@ import (

 	"github.com/mr-tron/base58"

-	"github.com/safing/portbase/formats/dsd"
+	"github.com/safing/structures/dsd"
 )

 // Envelope holds configuration for jess to put data into a letter.
--- a/filesig/format_armor.go
+++ b/filesig/format_armor.go
@ -7,7 +7,7 @@ import (
 	"regexp"

 	"github.com/safing/jess"
-	"github.com/safing/portbase/formats/dsd"
+	"github.com/safing/structures/dsd"
 )

 const (
--- a/filesig/json.go
+++ b/filesig/json.go
@ -0,0 +1,279 @@
+package filesig
+
+import (
+	"encoding/base64"
+	"errors"
+	"fmt"
+
+	"github.com/tidwall/gjson"
+	"github.com/tidwall/pretty"
+	"github.com/tidwall/sjson"
+	"golang.org/x/exp/slices"
+
+	"github.com/safing/jess"
+	"github.com/safing/jess/lhash"
+	"github.com/safing/structures/dsd"
+)
+
+// JSON file metadata keys.
+const (
+	JSONKeyPrefix    = "_jess-"
+	JSONChecksumKey  = JSONKeyPrefix + "checksum"
+	JSONSignatureKey = JSONKeyPrefix + "signature"
+)
+
+// AddJSONChecksum adds a checksum to a text file.
+func AddJSONChecksum(data []byte) ([]byte, error) {
+	// Extract content and metadata from json.
+	content, checksums, signatures, err := jsonSplit(data)
+	if err != nil {
+		return nil, err
+	}
+
+	// Calculate checksum.
+	h := lhash.BLAKE2b_256.Digest(content)
+	checksums = append(checksums, h.Base58())
+
+	// Sort and deduplicate checksums and sigs.
+	slices.Sort(checksums)
+	checksums = slices.Compact(checksums)
+	slices.Sort(signatures)
+	signatures = slices.Compact(signatures)
+
+	// Add metadata and return.
+	return jsonAddMeta(content, checksums, signatures)
+}
+
+// VerifyJSONChecksum checks a checksum in a text file.
+func VerifyJSONChecksum(data []byte) error {
+	// Extract content and metadata from json.
+	content, checksums, _, err := jsonSplit(data)
+	if err != nil {
+		return err
+	}
+
+	// Verify all checksums.
+	var checksumsVerified int
+	for _, checksum := range checksums {
+		// Parse checksum.
+		h, err := lhash.FromBase58(checksum)
+		if err != nil {
+			return fmt.Errorf("%w: failed to parse labeled hash: %w", ErrChecksumFailed, err)
+		}
+		// Verify checksum.
+		if !h.Matches(content) {
+			return ErrChecksumFailed
+		}
+		checksumsVerified++
+	}
+
+	// Fail when no checksums were verified.
+	if checksumsVerified == 0 {
+		return ErrChecksumMissing
+	}
+
+	return nil
+}
+
+func AddJSONSignature(data []byte, envelope *jess.Envelope, trustStore jess.TrustStore) (signedData []byte, err error) {
+	// Create session.
+	session, err := envelope.Correspondence(trustStore)
+	if err != nil {
+		return nil, fmt.Errorf("invalid signing envelope: %w", err)
+	}
+
+	// Check if the envelope is suitable for signing.
+	if err := envelope.Suite().Provides.CheckComplianceTo(fileSigRequirements); err != nil {
+		return nil, fmt.Errorf("envelope not suitable for signing: %w", err)
+	}
+
+	// Extract content and metadata from json.
+	content, checksums, signatures, err := jsonSplit(data)
+	if err != nil {
+		return nil, fmt.Errorf("invalid json structure: %w", err)
+	}
+
+	// Sign data.
+	letter, err := session.Close(content)
+	if err != nil {
+		return nil, fmt.Errorf("sign: %w", err)
+	}
+
+	// Serialize signature and add it.
+	letter.Data = nil
+	sig, err := letter.ToDSD(dsd.CBOR)
+	if err != nil {
+		return nil, fmt.Errorf("serialize sig: %w", err)
+	}
+	signatures = append(signatures, base64.RawURLEncoding.EncodeToString(sig))
+
+	// Sort and deduplicate checksums and sigs.
+	slices.Sort(checksums)
+	checksums = slices.Compact(checksums)
+	slices.Sort(signatures)
+	signatures = slices.Compact(signatures)
+
+	// Add metadata and return.
+	return jsonAddMeta(data, checksums, signatures)
+}
+
+func VerifyJSONSignature(data []byte, trustStore jess.TrustStore) (err error) {
+	// Extract content and metadata from json.
+	content, _, signatures, err := jsonSplit(data)
+	if err != nil {
+		return fmt.Errorf("invalid json structure: %w", err)
+	}
+
+	var signaturesVerified int
+	for i, sig := range signatures {
+		// Deserialize signature.
+		sigData, err := base64.RawURLEncoding.DecodeString(sig)
+		if err != nil {
+			return fmt.Errorf("signature %d malformed: %w", i+1, err)
+		}
+		letter := &jess.Letter{}
+		_, err = dsd.Load(sigData, letter)
+		if err != nil {
+			return fmt.Errorf("signature %d malformed: %w", i+1, err)
+		}
+
+		// Verify signature.
+		letter.Data = content
+		err = letter.Verify(fileSigRequirements, trustStore)
+		if err != nil {
+			return fmt.Errorf("signature %d invalid: %w", i+1, err)
+		}
+
+		signaturesVerified++
+	}
+
+	// Fail when no signatures were verified.
+	if signaturesVerified == 0 {
+		return ErrSignatureMissing
+	}
+
+	return nil
+}
+
+func jsonSplit(data []byte) (
+	content []byte,
+	checksums []string,
+	signatures []string,
+	err error,
+) {
+	// Check json.
+	if !gjson.ValidBytes(data) {
+		return nil, nil, nil, errors.New("invalid json")
+	}
+	content = data
+
+	// Get checksums.
+	result := gjson.GetBytes(content, JSONChecksumKey)
+	if result.Exists() {
+		if result.IsArray() {
+			array := result.Array()
+			checksums = make([]string, 0, len(array))
+			for _, result := range array {
+				if result.Type == gjson.String {
+					checksums = append(checksums, result.String())
+				}
+			}
+		} else if result.Type == gjson.String {
+			checksums = []string{result.String()}
+		}
+
+		// Delete key.
+		content, err = sjson.DeleteBytes(content, JSONChecksumKey)
+		if err != nil {
+			return nil, nil, nil, err
+		}
+	}
+
+	// Get signatures.
+	result = gjson.GetBytes(content, JSONSignatureKey)
+	if result.Exists() {
+		if result.IsArray() {
+			array := result.Array()
+			signatures = make([]string, 0, len(array))
+			for _, result := range array {
+				if result.Type == gjson.String {
+					signatures = append(signatures, result.String())
+				}
+			}
+		} else if result.Type == gjson.String {
+			signatures = []string{result.String()}
+		}
+
+		// Delete key.
+		content, err = sjson.DeleteBytes(content, JSONSignatureKey)
+		if err != nil {
+			return nil, nil, nil, err
+		}
+	}
+
+	// Format for reproducible checksums and signatures.
+	content = pretty.PrettyOptions(content, &pretty.Options{
+		Width:    200,  // Must not change!
+		Prefix:   "",   // Must not change!
+		Indent:   " ",  // Must not change!
+		SortKeys: true, // Must not change!
+	})
+
+	return content, checksums, signatures, nil
+}
+
+func jsonAddMeta(data []byte, checksums, signatures []string) ([]byte, error) {
+	var (
+		err  error
+		opts = &sjson.Options{
+			ReplaceInPlace: true,
+		}
+	)
+
+	// Add checksums.
+	switch len(checksums) {
+	case 0:
+		// Skip
+	case 1:
+		// Add single checksum.
+		data, err = sjson.SetBytesOptions(
+			data, JSONChecksumKey, checksums[0], opts,
+		)
+	default:
+		// Add multiple checksums.
+		data, err = sjson.SetBytesOptions(
+			data, JSONChecksumKey, checksums, opts,
+		)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	// Add signatures.
+	switch len(signatures) {
+	case 0:
+		// Skip
+	case 1:
+		// Add single signature.
+		data, err = sjson.SetBytesOptions(
+			data, JSONSignatureKey, signatures[0], opts,
+		)
+	default:
+		// Add multiple signatures.
+		data, err = sjson.SetBytesOptions(
+			data, JSONSignatureKey, signatures, opts,
+		)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	// Final pretty print.
+	data = pretty.PrettyOptions(data, &pretty.Options{
+		Width:  200, // Must not change!
+		Prefix: "",  // Must not change!
+		Indent: " ", // Must not change!
+	})
+
+	return data, nil
+}
--- a/filesig/json_test.go
+++ b/filesig/json_test.go
@ -0,0 +1,226 @@
+package filesig
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/safing/jess"
+	"github.com/safing/jess/tools"
+)
+
+func TestJSONChecksums(t *testing.T) {
+	t.Parallel()
+
+	// Base test text file.
+	json := `{"a": "b", "c": 1}`
+
+	// Test with checksum after comment.
+
+	jsonWithChecksum := `{
+ "_jess-checksum": "ZwtAd75qvioh6uf1NAq64KRgTbqeehFVYmhLmrwu1s7xJo",
+ "a": "b",
+ "c": 1
+}
+`
+
+	testJSONWithChecksum, err := AddJSONChecksum([]byte(json))
+	require.NoError(t, err, "should be able to add checksum")
+	assert.Equal(t, jsonWithChecksum, string(testJSONWithChecksum), "should match")
+	require.NoError(t,
+		VerifyJSONChecksum(testJSONWithChecksum),
+		"checksum should be correct",
+	)
+
+	jsonWithChecksum = `{
+	"c": 1,     "a":"b",
+		"_jess-checksum": "ZwtAd75qvioh6uf1NAq64KRgTbqeehFVYmhLmrwu1s7xJo"
+	}`
+	require.NoError(t,
+		VerifyJSONChecksum([]byte(jsonWithChecksum)),
+		"checksum should be correct",
+	)
+
+	jsonWithMultiChecksum := `{
+		"_jess-checksum": [
+			"PTV7S3Ca81aRk2kdNw7q2RfjLfEdPPT5Px5d211nhZedZC",
+			"PTV7S3Ca81aRk2kdNw7q2RfjLfEdPPT5Px5d211nhZedZC",
+			"CyDGH55DZUwa556DiYztMXaKZVBDjzWeFETiGmABMbvC3V"
+		],
+		"a": "b",
+		"c": 1
+	 }
+	 `
+	require.NoError(t,
+		VerifyJSONChecksum([]byte(jsonWithMultiChecksum)),
+		"checksum should be correct",
+	)
+
+	jsonWithMultiChecksumOutput := `{
+ "_jess-checksum": ["CyDGH55DZUwa556DiYztMXaKZVBDjzWeFETiGmABMbvC3V", "PTV7S3Ca81aRk2kdNw7q2RfjLfEdPPT5Px5d211nhZedZC", "ZwtAd75qvioh6uf1NAq64KRgTbqeehFVYmhLmrwu1s7xJo"],
+ "a": "b",
+ "c": 1
+}
+`
+
+	testJSONWithMultiChecksum, err := AddJSONChecksum([]byte(jsonWithMultiChecksum))
+	require.NoError(t, err, "should be able to add checksum")
+	assert.Equal(t, jsonWithMultiChecksumOutput, string(testJSONWithMultiChecksum), "should match")
+	require.NoError(t,
+		VerifyJSONChecksum(testJSONWithMultiChecksum),
+		"checksum should be correct",
+	)
+
+	// 	// Test with multiple checksums.
+
+	// 	textWithMultiChecksum := `# jess-checksum: PTNktssvYCYjZXLFL2QoBk7DYoSz1qF7DJd5XNvtptd41B
+	// #!/bin/bash
+	// # Initial
+	// # Comment
+	// # Block
+	// # jess-checksum: Cy2TyVDjEStUqX3wCzCCKTfy228KaQK25ZDbHNmKiF8SPf
+
+	// do_something()
+
+	// # jess-checksum: YdgJFzuvFduk1MwRjZ2JkWQ6tCE1wkjn9xubSggKAdJSX5
+	// `
+	// 	assert.NoError(t,
+	// 		VerifyTextFileChecksum([]byte(textWithMultiChecksum), "#"),
+	// 		"checksum should be correct",
+	// 	)
+
+	// 	textWithMultiChecksumOutput := `#!/bin/bash
+	// # Initial
+	// # Comment
+	// # Block
+	// # jess-checksum: Cy2TyVDjEStUqX3wCzCCKTfy228KaQK25ZDbHNmKiF8SPf
+	// # jess-checksum: PTNktssvYCYjZXLFL2QoBk7DYoSz1qF7DJd5XNvtptd41B
+	// # jess-checksum: YdgJFzuvFduk1MwRjZ2JkWQ6tCE1wkjn9xubSggKAdJSX5
+	// # jess-checksum: ZwngYUfUBeUn99HSdrNxkWSNjqrgZuSpVrexeEYttBso5o
+
+	// do_something()
+	// `
+	// 	testTextWithMultiChecksumOutput, err := AddTextFileChecksum([]byte(textWithMultiChecksum), "#", AfterComment)
+	// 	assert.NoError(t, err, "should be able to add checksum")
+	// 	assert.Equal(t, textWithMultiChecksumOutput, string(testTextWithMultiChecksumOutput), "should match")
+
+	// 	// Test failing checksums.
+
+	// 	textWithFailingChecksums := `#!/bin/bash
+	// # Initial
+	// # Comment
+	// # Block
+	// # jess-checksum: Cy2TyVDjEStUqX3wCzCCKTfy228KaQK25ZDbHNmKiF8SPf
+	// # jess-checksum: PTNktssvYCYjZXLFL2QoBk7DYoSz1qF7DJd5XNvtptd41B
+	// # jess-checksum: YdgJFzuvFduk1MwRjZ2JkWQ6tCE1wkjn9xubSggKAdJSX5
+	// # jess-checksum: ZwngYUfUBeUn99HSdrNxkWSNjaaaaaaaaaaaaaaaaaaaaa
+
+	// do_something()
+	// `
+	//
+	//	assert.Error(t, VerifyTextFileChecksum([]byte(textWithFailingChecksums), "#"), "should fail")
+}
+
+func TestJSONSignatures(t *testing.T) {
+	t.Parallel()
+
+	// Get tool for key generation.
+	tool, err := tools.Get("Ed25519")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Generate key pair.
+	s, err := getOrMakeSignet(t, tool.StaticLogic, false, "test-key-jsonsig-1")
+	if err != nil {
+		t.Fatal(err)
+	}
+	// sBackup, err := s.Backup(true)
+	// if err != nil {
+	// 	t.Fatal(err)
+	// }
+	// t.Logf("signet: %s", sBackup)
+
+	// Make envelope.
+	envelope := jess.NewUnconfiguredEnvelope()
+	envelope.SuiteID = jess.SuiteSignV1
+	envelope.Senders = []*jess.Signet{s}
+
+	// Test 1: Simple json.
+
+	json := `{"a": "b", "c": 1}`
+	testJSONWithSignature, err := AddJSONSignature([]byte(json), envelope, testTrustStore)
+	require.NoError(t, err, "should be able to add signature")
+	require.NoError(t,
+		VerifyJSONSignature(testJSONWithSignature, testTrustStore),
+		"signature should be valid",
+	)
+
+	// Test 2: Prepared json with signature.
+
+	// Load signing key into trust store.
+	signingKey2, err := jess.SenderFromTextFormat(
+		"sender:2ZxXzzL3mc3mLPizTUe49zi8Z3NMbDrmmqJ4V9mL4AxefZ1o8pM8wPMuK2uW12Mvd3EJL9wsKTn14BDuqH2AtucvHTAkjDdZZ5YA9Azmji5tLRXmypvSxEj2mxXU3MFXBVdpzPdwRcE4WauLo9ZfQWebznvnatVLwuxmeo17tU2pL7",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+	rcptKey2, err := signingKey2.AsRecipient()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := testTrustStore.StoreSignet(rcptKey2); err != nil {
+		t.Fatal(err)
+	}
+
+	// Verify data.
+	jsonWithSignature := `{
+			"c":1,"a":"b",
+			"_jess-signature": "Q6RnVmVyc2lvbgFnU3VpdGVJRGdzaWduX3YxZU5vbmNlRK6e7JhqU2lnbmF0dXJlc4GjZlNjaGVtZWdFZDI1NTE5YklEeBl0ZXN0LXN0YXRpYy1rZXktanNvbnNpZy0xZVZhbHVlWEBPEbeM4_CTl3OhNT2z74h38jIZG5R7BBLDFd6npJ3E-4JqM6TaSMa-2pPEBf3fDNuikR3ak45SekC6Z10uWiEB"
+		}`
+	require.NoError(t,
+		VerifyJSONSignature([]byte(jsonWithSignature), testTrustStore),
+		"signature should be valid",
+	)
+
+	// Test 3: Add signature to prepared json.
+
+	testJSONWithSignature, err = AddJSONSignature([]byte(jsonWithSignature), envelope, testTrustStore)
+	require.NoError(t, err, "should be able to add signature")
+	require.NoError(t,
+		VerifyJSONSignature(testJSONWithSignature, testTrustStore),
+		"signatures should be valid",
+	)
+
+	// Test 4: Prepared json with multiple signatures.
+
+	// Load signing key into trust store.
+	signingKey3, err := jess.SenderFromTextFormat(
+		"sender:2ZxXzzL3mc3mLPizTUe49zi8Z3NMbDrmmqJ4V9mL4AxefZ1o8pM8wPMuRAXdZNaPX3B96bhGCpww6TbXJ6WXLHoLwLV196cgdm1BurfTMdjUPa4PUj1KgHuM82b1p8ezQeryzj1CsjeM8KRQdh9YP87gwKpXNmLW5GmUyWG5KxzZ7W",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+	rcptKey3, err := signingKey3.AsRecipient()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := testTrustStore.StoreSignet(rcptKey3); err != nil {
+		t.Fatal(err)
+	}
+
+	jsonWithMultiSig := `{
+			"_jess-signature": [
+				"Q6RnVmVyc2lvbgFnU3VpdGVJRGdzaWduX3YxZU5vbmNlRK6e7JhqU2lnbmF0dXJlc4GjZlNjaGVtZWdFZDI1NTE5YklEeBl0ZXN0LXN0YXRpYy1rZXktanNvbnNpZy0xZVZhbHVlWEBPEbeM4_CTl3OhNT2z74h38jIZG5R7BBLDFd6npJ3E-4JqM6TaSMa-2pPEBf3fDNuikR3ak45SekC6Z10uWiEB",
+				"Q6RnVmVyc2lvbgFnU3VpdGVJRGdzaWduX3YxZU5vbmNlRC32oylqU2lnbmF0dXJlc4GjZlNjaGVtZWdFZDI1NTE5YklEeBl0ZXN0LXN0YXRpYy1rZXktanNvbnNpZy0yZVZhbHVlWEDYVHeKaJvzZPOkgC6Tie6x70bNm2jtmJmAwDFDcBL1ddK7pVSefyAPg47xMO7jeucP5bw754P6CdrR5gyANJkM"
+			],
+			"a": "b",
+			"c": 1
+		 }
+		 `
+	assert.NoError(t,
+		VerifyJSONSignature([]byte(jsonWithMultiSig), testTrustStore),
+		"signatures should be valid",
+	)
+}
--- a/filesig/main.go
+++ b/filesig/main.go
@ -6,7 +6,7 @@ import (

 	"github.com/safing/jess"
 	"github.com/safing/jess/lhash"
-	"github.com/safing/portbase/formats/dsd"
+	"github.com/safing/structures/dsd"
 )

 // Extension holds the default file extension to be used for signature files.
@ -53,7 +53,7 @@ func SignFileData(fileHash *lhash.LabeledHash, metaData map[string]string, envel

 	// Check if the envelope is suitable for signing.
 	if err := envelope.Suite().Provides.CheckComplianceTo(fileSigRequirements); err != nil {
-		return nil, nil, fmt.Errorf("envelope not suitable for signing")
+		return nil, nil, fmt.Errorf("envelope not suitable for signing: %w", err)
 	}

 	// Create struct and transform data into serializable format to be signed.
--- a/filesig/text.go
+++ b/filesig/text.go
@ -0,0 +1,232 @@
+package filesig
+
+import (
+	"bufio"
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"strings"
+
+	"golang.org/x/exp/slices"
+
+	"github.com/safing/jess/lhash"
+)
+
+// Text file metadata keys.
+const (
+	TextKeyPrefix    = "jess-"
+	TextChecksumKey  = TextKeyPrefix + "checksum"
+	TextSignatureKey = TextKeyPrefix + "signature"
+)
+
+// Text Operation Errors.
+var (
+	ErrChecksumMissing  = errors.New("no checksum found")
+	ErrChecksumFailed   = errors.New("checksum does not match")
+	ErrSignatureMissing = errors.New("signature not found")
+	ErrSignatureFailed  = errors.New("signature does not match")
+)
+
+// TextPlacement signifies where jess metadata is put in text files.
+type TextPlacement string
+
+const (
+	// TextPlacementTop places the metadata at end of file.
+	TextPlacementTop TextPlacement = "top"
+	// TextPlacementBottom places the metadata at end of file.
+	TextPlacementBottom TextPlacement = "bottom"
+	// TextPlacementAfterComment places the metadata at end of the top comment
+	// block, or at the top, if the first line is not a comment.
+	TextPlacementAfterComment TextPlacement = "after-comment"
+
+	defaultMetaPlacement = TextPlacementAfterComment
+)
+
+// AddTextFileChecksum adds a checksum to a text file.
+func AddTextFileChecksum(data []byte, commentSign string, placement TextPlacement) ([]byte, error) {
+	// Split text file into content and jess metadata lines.
+	content, metaLines, err := textSplit(data, commentSign)
+	if err != nil {
+		return nil, err
+	}
+
+	// Calculate checksum.
+	h := lhash.BLAKE2b_256.Digest(content)
+	metaLines = append(metaLines, TextChecksumKey+": "+h.Base58())
+
+	// Sort and deduplicate meta lines.
+	slices.Sort[[]string, string](metaLines)
+	metaLines = slices.Compact[[]string, string](metaLines)
+
+	// Add meta lines and return.
+	return textAddMeta(content, metaLines, commentSign, placement)
+}
+
+// VerifyTextFileChecksum checks a checksum in a text file.
+func VerifyTextFileChecksum(data []byte, commentSign string) error {
+	// Split text file into content and jess metadata lines.
+	content, metaLines, err := textSplit(data, commentSign)
+	if err != nil {
+		return err
+	}
+
+	// Verify all checksums.
+	var checksumsVerified int
+	for _, line := range metaLines {
+		if strings.HasPrefix(line, TextChecksumKey) {
+			// Clean key, delimiters and space.
+			line = strings.TrimPrefix(line, TextChecksumKey)
+			line = strings.TrimSpace(line)   // Spaces and newlines.
+			line = strings.Trim(line, ":= ") // Delimiters and spaces.
+			// Parse checksum.
+			h, err := lhash.FromBase58(line)
+			if err != nil {
+				return fmt.Errorf("%w: failed to parse labeled hash: %w", ErrChecksumFailed, err)
+			}
+			// Verify checksum.
+			if !h.Matches(content) {
+				return ErrChecksumFailed
+			}
+			checksumsVerified++
+		}
+	}
+
+	// Fail when no checksums were verified.
+	if checksumsVerified == 0 {
+		return ErrChecksumMissing
+	}
+
+	return nil
+}
+
+func textSplit(data []byte, commentSign string) (content []byte, metaLines []string, err error) {
+	metaLinePrefix := commentSign + " " + TextKeyPrefix
+	contentBuf := bytes.NewBuffer(make([]byte, 0, len(data)))
+	metaLines = make([]string, 0, 1)
+
+	// Find jess metadata lines.
+	s := bufio.NewScanner(bytes.NewReader(data))
+	s.Split(scanRawLines)
+	for s.Scan() {
+		if strings.HasPrefix(s.Text(), metaLinePrefix) {
+			metaLines = append(metaLines, strings.TrimSpace(strings.TrimPrefix(s.Text(), commentSign)))
+		} else {
+			_, _ = contentBuf.Write(s.Bytes())
+		}
+	}
+	if s.Err() != nil {
+		return nil, nil, s.Err()
+	}
+
+	return bytes.TrimSpace(contentBuf.Bytes()), metaLines, nil
+}
+
+func detectLineEndFormat(data []byte) (lineEnd string) {
+	i := bytes.IndexByte(data, '\n')
+	switch i {
+	case -1:
+		// Default to just newline.
+		return "\n"
+	case 0:
+		// File start with a newline.
+		return "\n"
+	default:
+		// First newline is at second byte or later.
+		if bytes.Equal(data[i-1:i+1], []byte("\r\n")) {
+			return "\r\n"
+		}
+		return "\n"
+	}
+}
+
+func textAddMeta(data []byte, metaLines []string, commentSign string, position TextPlacement) ([]byte, error) {
+	// Prepare new buffer.
+	requiredSize := len(data)
+	for _, line := range metaLines {
+		requiredSize += len(line) + len(commentSign) + 3 // space + CRLF
+	}
+	contentBuf := bytes.NewBuffer(make([]byte, 0, requiredSize))
+
+	// Find line ending.
+	lineEnd := detectLineEndFormat(data)
+
+	// Find jess metadata lines.
+	if position == "" {
+		position = defaultMetaPlacement
+	}
+
+	switch position {
+	case TextPlacementTop:
+		textWriteMetaLines(metaLines, commentSign, lineEnd, contentBuf)
+		contentBuf.Write(data)
+		// Add final newline.
+		contentBuf.WriteString(lineEnd)
+
+	case TextPlacementBottom:
+		contentBuf.Write(data)
+		// Add to newlines when appending, as content is first whitespace-stripped.
+		contentBuf.WriteString(lineEnd)
+		contentBuf.WriteString(lineEnd)
+		textWriteMetaLines(metaLines, commentSign, lineEnd, contentBuf)
+
+	case TextPlacementAfterComment:
+		metaWritten := false
+		s := bufio.NewScanner(bytes.NewReader(data))
+		s.Split(scanRawLines)
+		for s.Scan() {
+			switch {
+			case metaWritten:
+				_, _ = contentBuf.Write(s.Bytes())
+			case strings.HasPrefix(s.Text(), commentSign):
+				_, _ = contentBuf.Write(s.Bytes())
+			default:
+				textWriteMetaLines(metaLines, commentSign, lineEnd, contentBuf)
+				metaWritten = true
+				_, _ = contentBuf.Write(s.Bytes())
+			}
+		}
+		if s.Err() != nil {
+			return nil, s.Err()
+		}
+		// If we have scanned through the file, and meta was not written, write it now.
+		if !metaWritten {
+			textWriteMetaLines(metaLines, commentSign, lineEnd, contentBuf)
+		}
+		// Add final newline.
+		contentBuf.WriteString(lineEnd)
+	}
+
+	return contentBuf.Bytes(), nil
+}
+
+func textWriteMetaLines(metaLines []string, commentSign string, lineEnd string, writer io.StringWriter) {
+	for _, line := range metaLines {
+		_, _ = writer.WriteString(commentSign)
+		_, _ = writer.WriteString(" ")
+		_, _ = writer.WriteString(line)
+		_, _ = writer.WriteString(lineEnd)
+	}
+}
+
+// scanRawLines is a split function for a Scanner that returns each line of
+// text, including any trailing end-of-line marker. The returned line may
+// be empty. The end-of-line marker is one optional carriage return followed
+// by one mandatory newline. In regular expression notation, it is `\r?\n`.
+// The last non-empty line of input will be returned even if it has no
+// newline.
+func scanRawLines(data []byte, atEOF bool) (advance int, token []byte, err error) {
+	if atEOF && len(data) == 0 {
+		return 0, nil, nil
+	}
+	if i := bytes.IndexByte(data, '\n'); i >= 0 {
+		// We have a full newline-terminated line.
+		return i + 1, data[0 : i+1], nil
+	}
+	// If we're at EOF, we have a final, non-terminated line. Return it.
+	if atEOF {
+		return len(data), data, nil
+	}
+	// Request more data.
+	return 0, nil, nil
+}
--- a/filesig/text_test.go
+++ b/filesig/text_test.go
@ -0,0 +1,180 @@
+package filesig
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestTextChecksums(t *testing.T) {
+	t.Parallel()
+
+	// Base test text file.
+	text := `#!/bin/bash
+# Initial
+# Comment
+# Block
+
+do_something()`
+
+	// Test with checksum after comment.
+
+	textWithChecksumAfterComment := `#!/bin/bash
+# Initial
+# Comment
+# Block
+# jess-checksum: ZwngYUfUBeUn99HSdrNxkWSNjqrgZuSpVrexeEYttBso5o
+
+do_something()
+`
+
+	testTextWithChecksumAfterComment, err := AddTextFileChecksum([]byte(text), "#", TextPlacementAfterComment)
+	require.NoError(t, err, "should be able to add checksum")
+	assert.Equal(t, textWithChecksumAfterComment, string(testTextWithChecksumAfterComment), "should match")
+	require.NoError(t,
+		VerifyTextFileChecksum(testTextWithChecksumAfterComment, "#"),
+		"checksum should be correct",
+	)
+	require.NoError(t,
+		VerifyTextFileChecksum(append(
+			[]byte("\n\n  \r\n"),
+			testTextWithChecksumAfterComment...,
+		), "#"),
+		"checksum should be correct",
+	)
+	require.NoError(t,
+		VerifyTextFileChecksum(append(
+			testTextWithChecksumAfterComment,
+			[]byte("\r\n \n \n")...,
+		), "#"),
+		"checksum should be correct",
+	)
+
+	// Test with checksum at top.
+
+	textWithChecksumAtTop := `# jess-checksum: ZwngYUfUBeUn99HSdrNxkWSNjqrgZuSpVrexeEYttBso5o
+#!/bin/bash
+# Initial
+# Comment
+# Block
+
+do_something()
+`
+
+	testTextWithChecksumAtTop, err := AddTextFileChecksum([]byte(text), "#", TextPlacementTop)
+	require.NoError(t, err, "should be able to add checksum")
+	assert.Equal(t, textWithChecksumAtTop, string(testTextWithChecksumAtTop), "should match")
+	require.NoError(t,
+		VerifyTextFileChecksum(testTextWithChecksumAtTop, "#"),
+		"checksum should be correct",
+	)
+
+	// Test with checksum at bottom.
+
+	textWithChecksumAtBottom := `#!/bin/bash
+# Initial
+# Comment
+# Block
+
+do_something()
+
+# jess-checksum: ZwngYUfUBeUn99HSdrNxkWSNjqrgZuSpVrexeEYttBso5o
+`
+
+	testTextWithChecksumAtBottom, err := AddTextFileChecksum([]byte(text), "#", TextPlacementBottom)
+	require.NoError(t, err, "should be able to add checksum")
+	assert.Equal(t, textWithChecksumAtBottom, string(testTextWithChecksumAtBottom), "should match")
+	require.NoError(t,
+		VerifyTextFileChecksum(testTextWithChecksumAtBottom, "#"),
+		"checksum should be correct",
+	)
+
+	// Test with multiple checksums.
+
+	textWithMultiChecksum := `# jess-checksum: PTNktssvYCYjZXLFL2QoBk7DYoSz1qF7DJd5XNvtptd41B
+#!/bin/bash
+# Initial
+# Comment
+# Block
+# jess-checksum: Cy2TyVDjEStUqX3wCzCCKTfy228KaQK25ZDbHNmKiF8SPf
+
+do_something()
+
+# jess-checksum: YdgJFzuvFduk1MwRjZ2JkWQ6tCE1wkjn9xubSggKAdJSX5
+`
+	assert.NoError(t,
+		VerifyTextFileChecksum([]byte(textWithMultiChecksum), "#"),
+		"checksum should be correct",
+	)
+
+	textWithMultiChecksumOutput := `#!/bin/bash
+# Initial
+# Comment
+# Block
+# jess-checksum: Cy2TyVDjEStUqX3wCzCCKTfy228KaQK25ZDbHNmKiF8SPf
+# jess-checksum: PTNktssvYCYjZXLFL2QoBk7DYoSz1qF7DJd5XNvtptd41B
+# jess-checksum: YdgJFzuvFduk1MwRjZ2JkWQ6tCE1wkjn9xubSggKAdJSX5
+# jess-checksum: ZwngYUfUBeUn99HSdrNxkWSNjqrgZuSpVrexeEYttBso5o
+
+do_something()
+`
+	testTextWithMultiChecksumOutput, err := AddTextFileChecksum([]byte(textWithMultiChecksum), "#", TextPlacementAfterComment)
+	require.NoError(t, err, "should be able to add checksum")
+	assert.Equal(t, textWithMultiChecksumOutput, string(testTextWithMultiChecksumOutput), "should match")
+
+	// Test failing checksums.
+
+	textWithFailingChecksums := `#!/bin/bash
+# Initial
+# Comment
+# Block
+# jess-checksum: Cy2TyVDjEStUqX3wCzCCKTfy228KaQK25ZDbHNmKiF8SPf
+# jess-checksum: PTNktssvYCYjZXLFL2QoBk7DYoSz1qF7DJd5XNvtptd41B
+# jess-checksum: YdgJFzuvFduk1MwRjZ2JkWQ6tCE1wkjn9xubSggKAdJSX5
+# jess-checksum: ZwngYUfUBeUn99HSdrNxkWSNjaaaaaaaaaaaaaaaaaaaaa
+
+do_something()
+`
+	require.Error(t, VerifyTextFileChecksum([]byte(textWithFailingChecksums), "#"), "should fail")
+}
+
+func TestLineEndDetection(t *testing.T) {
+	t.Parallel()
+
+	assert.Equal(t,
+		"\n",
+		detectLineEndFormat(nil),
+		"empty data should default to simple lf ending",
+	)
+	assert.Equal(t,
+		"\n",
+		detectLineEndFormat([]byte("\n")),
+		"shoud detect lf ending with empty first line",
+	)
+	assert.Equal(t,
+		"\r\n",
+		detectLineEndFormat([]byte("\r\n")),
+		"shoud detect crlf ending with empty first line",
+	)
+	assert.Equal(t,
+		"\n",
+		detectLineEndFormat([]byte("abc\n")),
+		"shoud detect lf ending with data on single line",
+	)
+	assert.Equal(t,
+		"\r\n",
+		detectLineEndFormat([]byte("abc\r\n")),
+		"shoud detect crlf ending with data on single line",
+	)
+	assert.Equal(t,
+		"\n",
+		detectLineEndFormat([]byte("abc\nabc\r\n")),
+		"shoud detect lf ending with data on first line",
+	)
+	assert.Equal(t,
+		"\r\n",
+		detectLineEndFormat([]byte("abc\r\nabc\n")),
+		"shoud detect crlf ending with data on first line",
+	)
+}
--- a/filesig/text_yaml.go
+++ b/filesig/text_yaml.go
@ -0,0 +1,11 @@
+package filesig
+
+// AddYAMLChecksum adds a checksum to a yaml file.
+func AddYAMLChecksum(data []byte, placement TextPlacement) ([]byte, error) {
+	return AddTextFileChecksum(data, "#", placement)
+}
+
+// VerifyYAMLChecksum checks a checksum in a yaml file.
+func VerifyYAMLChecksum(data []byte) error {
+	return VerifyTextFileChecksum(data, "#")
+}
--- a/go.mod
+++ b/go.mod
@ -1,16 +1,50 @@
 module github.com/safing/jess

-go 1.15
+go 1.21.1
+
+toolchain go1.22.3

 require (
-	github.com/AlecAivazis/survey/v2 v2.3.6
+	github.com/AlecAivazis/survey/v2 v2.3.7
 	github.com/aead/ecdh v0.2.0
 	github.com/mr-tron/base58 v1.2.0
-	github.com/safing/portbase v0.16.2
+	github.com/safing/structures v1.1.0
 	github.com/satori/go.uuid v1.2.0
-	github.com/spf13/cobra v1.5.0
+	github.com/spf13/cobra v1.8.1
+	github.com/stretchr/testify v1.8.4
 	github.com/tevino/abool v1.2.0
-	github.com/zalando/go-keyring v0.2.1
-	golang.org/x/crypto v0.0.0-20221010152910-d6f0a8c073c2
-	golang.org/x/sys v0.0.0-20221010170243-090e33056c14 // indirect
+	github.com/tidwall/gjson v1.17.1
+	github.com/tidwall/pretty v1.2.1
+	github.com/tidwall/sjson v1.2.5
+	github.com/zalando/go-keyring v0.2.5
+	github.com/zeebo/blake3 v0.2.3
+	golang.org/x/crypto v0.24.0
+	golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8
+)
+
+require (
+	github.com/alessio/shellescape v1.4.2 // indirect
+	github.com/danieljoos/wincred v1.2.1 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/godbus/dbus/v5 v5.1.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.8 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/tidwall/match v1.1.1 // indirect
+	github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
+	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/term v0.21.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -1,211 +1,137 @@
-github.com/AlecAivazis/survey/v2 v2.3.6 h1:NvTuVHISgTHEHeBFqt6BHOe4Ny/NwGZr7w+F8S9ziyw=
-github.com/AlecAivazis/survey/v2 v2.3.6/go.mod h1:4AuI9b7RjAR+G7v9+C4YSlX/YL3K3cWNXgWXOhllqvI=
-github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96/go.mod h1:bOvUY6CB00SOBii9/FifXqc0awNKxLFCL/+pkDPuyl8=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/AlecAivazis/survey/v2 v2.3.7 h1:6I/u8FvytdGsgonrYsVn2t8t4QiRnh6QSTqkkhIiSjQ=
+github.com/AlecAivazis/survey/v2 v2.3.7/go.mod h1:xUTIdE4KCOIjsBAE1JYsUPoCqYdZ1reCfTwbto0Fduo=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w=
-github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
-github.com/VictoriaMetrics/metrics v1.22.2/go.mod h1:rAr/llLpEnAdTehiNlUxKgnjcOuROSzpw0GvjpEbvFc=
 github.com/aead/ecdh v0.2.0 h1:pYop54xVaq/CEREFEcukHRZfTdjiWvYIsZDXXrBapQQ=
 github.com/aead/ecdh v0.2.0/go.mod h1:a9HHtXuSo8J1Js1MwLQx2mBhkXMT6YwUmVVEY4tTB8U=
-github.com/aead/serpent v0.0.0-20160714141033-fba169763ea6/go.mod h1:3HgLJ9d18kXMLQlJvIY3+FszZYMxCz8WfE2MQ7hDY0w=
-github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0=
-github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30=
-github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
-github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/bluele/gcache v0.0.2/go.mod h1:m15KV+ECjptwSPxKhOhQoAFQVtUFjTVkc3H8o0t/fp0=
-github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
-github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
-github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
-github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/alessio/shellescape v1.4.2 h1:MHPfaU+ddJ0/bYWpgIeUnQUqKrlJ1S7BfEYPM4uEoM0=
+github.com/alessio/shellescape v1.4.2/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30=
+github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.17 h1:QeVUsEDNrLBW4tMgZHvxy18sKtr6VI492kBhUfhDJNI=
 github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/danieljoos/wincred v1.1.0/go.mod h1:XYlo+eRTsVA9aHGp7NGjFkPla4m+DCL7hqDjlFjiygg=
-github.com/danieljoos/wincred v1.1.2 h1:QLdCxFs1/Yl4zduvBdcHB8goaYk9RARS2SgLLRuAyr0=
-github.com/danieljoos/wincred v1.1.2/go.mod h1:GijpziifJoIBfYh+S7BbkdUTU4LfM+QnGqR5Vl2tAx0=
+github.com/danieljoos/wincred v1.2.1 h1:dl9cBrupW8+r5250DYkYxocLeZ1Y4vB1kxgtjxw8GQs=
+github.com/danieljoos/wincred v1.2.1/go.mod h1:uGaFL9fDn3OLTvzCGulzE+SzjEe5NGlh5FdCcyfPwps=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dgraph-io/badger v1.6.2/go.mod h1:JW2yswe3V058sS0kZ2h/AXeDSqFjxnZcRrVH//y2UQE=
-github.com/dgraph-io/ristretto v0.0.2/go.mod h1:KPxhHT9ZxKefz+PCeOGsrHpl1qZ7i70dGTu2u+Ahh6E=
-github.com/dgraph-io/ristretto v0.1.0/go.mod h1:fux0lOrBhrVCJd3lcTHsIJhq1T2rokOu6v9Vcb3Q9ug=
-github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
-github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
-github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88=
-github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo=
-github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
-github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
+github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/gofrs/uuid v4.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/gofrs/uuid v4.3.0+incompatible h1:CaSVZxm5B+7o45rtab4jC2G37WGYX1zQfuU2i6DSvnc=
-github.com/gofrs/uuid v4.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
-github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
-github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
-github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u7lxST/RaJw+cv273q79D81Xbog=
 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68=
-github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
-github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
-github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
+github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
+github.com/klauspost/cpuid/v2 v2.2.8 h1:+StwCXwm9PdpiEkPyzBXIy+M9KUb4ODm0Zarf1kS5BM=
+github.com/klauspost/cpuid/v2 v2.2.8/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
 github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
-github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
-github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/mr-tron/base58 v1.2.0 h1:T/HDJBh4ZCPbU39/+c3rRvE0uKBQlU27+QI8LJ4t64o=
 github.com/mr-tron/base58 v1.2.0/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc=
-github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
-github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/safing/jess v0.3.0/go.mod h1:JbYsPk5iJZx0OXDZeMcjS9qEdkGVUg+DCA8Fw2LdN9s=
-github.com/safing/portbase v0.15.2/go.mod h1:5bHi99fz7Hh/wOsZUOI631WF9ePSHk57c4fdlOMS91Y=
-github.com/safing/portbase v0.16.2 h1:ZlCZBZkKmgJDR+sHSRbFc9mM8m9qYtu8agE1xCirvQU=
-github.com/safing/portbase v0.16.2/go.mod h1:mzNCWqPbO7vIYbbK5PElGbudwd2vx4YPNawymL8Aro8=
+github.com/safing/structures v1.1.0 h1:QzHBQBjaZSLzw2f6PM4ibSmPcfBHAOB5CKJ+k4FYkhQ=
+github.com/safing/structures v1.1.0/go.mod h1:QUrB74FcU41ahQ5oy3YNFCoSq+twE/n3+vNZc2K35II=
 github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
-github.com/seehuhn/fortuna v1.0.1/go.mod h1:LX8ubejCnUoT/hX+1aKUtbKls2H6DRkqzkc7TdR3iis=
-github.com/seehuhn/sha256d v1.0.0/go.mod h1:PEuxg9faClSveVuFXacQmi+NtDI/PX8bpKjtNzf2+s4=
-github.com/shirou/gopsutil v3.21.11+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA=
-github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
-github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
-github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
-github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
-github.com/spf13/cobra v1.5.0 h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU=
-github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM=
-github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
-github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
+github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.4.0 h1:M2gUjqZET1qApGOWNSnZ49BAIMX4F/1plDv3+l31EJ4=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/tevino/abool v1.2.0 h1:heAkClL8H6w+mK5md9dzsuohKeXHUpY7Vw0ZCKW+huA=
 github.com/tevino/abool v1.2.0/go.mod h1:qc66Pna1RiIsPa7O4Egxxs9OqkuxDX55zznh9K07Tzg=
 github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
-github.com/tidwall/gjson v1.14.3/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/gjson v1.17.1 h1:wlYEnwqAHgzmhNUFfw7Xalt2JzQvsMx2Se4PcoFCT/U=
+github.com/tidwall/gjson v1.17.1/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
 github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
 github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
+github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
 github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
-github.com/tklauser/go-sysconf v0.3.9/go.mod h1:11DU/5sG7UexIrp/O6g35hrWzu0JxlwQ3LSFUzyeuhs=
-github.com/tklauser/go-sysconf v0.3.10/go.mod h1:C8XykCvCb+Gn0oNCWPIlcb0RuglQTYaQ2hGm7jmxEFk=
-github.com/tklauser/numcpus v0.3.0/go.mod h1:yFGUr7TUHQRAhyqBcEg0Ge34zDBAsIvJJcyE6boqnA8=
-github.com/tklauser/numcpus v0.4.0/go.mod h1:1+UI3pD8NW14VMwdgJNJ1ESk2UnwhAnz5hMwiKKqXCQ=
-github.com/tklauser/numcpus v0.5.0/go.mod h1:OGzpTxpcIMNGYQdit2BYL1pvk/dSOaJWjKoflh+RQjo=
-github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
-github.com/valyala/fastrand v1.1.0/go.mod h1:HWqCzkrkg6QXT8V2EXWvXCoow7vLwOFN002oeRzjapQ=
-github.com/valyala/histogram v1.2.0/go.mod h1:Hb4kBwb4UxsaNbbbh+RRz8ZR6pdodR57tzWUS3BUzXY=
-github.com/vmihailenco/msgpack/v5 v5.3.5 h1:5gO0H1iULLWGhs2H5tbAHIZTV8/cYafcFOr9znI5mJU=
-github.com/vmihailenco/msgpack/v5 v5.3.5/go.mod h1:7xyJ9e+0+9SaZT0Wt1RGleJXzli6Q/V5KbhBonMG9jc=
+github.com/vmihailenco/msgpack/v5 v5.4.1 h1:cQriyiUvjTwOHg8QZaPihLWeRAAVoCpE00IUPn0Bjt8=
+github.com/vmihailenco/msgpack/v5 v5.4.1/go.mod h1:GaZTsDaehaPpQVyxrf5mtQlH+pc21PIudVV/E3rRQok=
 github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=
 github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
-github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
-github.com/zalando/go-keyring v0.2.1 h1:MBRN/Z8H4U5wEKXiD67YbDAr5cj/DOStmSga70/2qKc=
-github.com/zalando/go-keyring v0.2.1/go.mod h1:g63M2PPn0w5vjmEbwAX3ib5I+41zdm4esSETOn9Y6Dw=
-go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
-golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+github.com/zalando/go-keyring v0.2.5 h1:Bc2HHpjALryKD62ppdEzaFG6VxL6Bc+5v0LYpN8Lba8=
+github.com/zalando/go-keyring v0.2.5/go.mod h1:HL4k+OXQfJUWaMnqyuSOc0drfGPX2b51Du6K+MRgZMk=
+github.com/zeebo/assert v1.1.0 h1:hU1L1vLTHsnO8x8c9KAR5GmM5QscxHg5RNU5z5qbUWY=
+github.com/zeebo/assert v1.1.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
+github.com/zeebo/blake3 v0.2.3 h1:TFoLXsjeXqRNFxSbk35Dk4YtszE/MQQGK10BH4ptoTg=
+github.com/zeebo/blake3 v0.2.3/go.mod h1:mjJjZpnsyIVtVgTOSpJ9vmRE4wgDeyt2HU3qXvvKCaQ=
+github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
+github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
 golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20221010152910-d6f0a8c073c2 h1:x8vtB3zMecnlqZIwJNUUpwYKYSqCz5jXbiyv0ZJJZeI=
-golang.org/x/crypto v0.0.0-20221010152910-d6f0a8c073c2/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
+golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
+golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 h1:yixxcjnhBmY0nkL253HFVIm0JsFHwrHdT3Yh6szTnfY=
+golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8/go.mod h1:jj3sYF3dwk5D+ghuXyeI3r5MFf+NT2An6/9dOA95KSI=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220927171203-f486391704dc/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220923202941-7f9b1623fab7/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210816074244-15123e1e1f71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210819135213-f52c844e1c1c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220928140112-f11e5e49a4ec/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20221010170243-090e33056c14 h1:k5II8e6QD8mITdi+okbbmR/cIyEbeXLBhy5Ha4nevyc=
-golang.org/x/sys v0.0.0-20221010170243-090e33056c14/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210503060354-a79de5458b56/go.mod h1:tfny5GFUkzUvx4ps4ajbZsCe5lw1metzhBm9T3x7oIY=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.0.0-20220919170432-7a66f970e087 h1:tPwmk4vmvVCMdr98VgL4JH+qZxPL8fqlUOHnyOM8N3w=
-golang.org/x/term v0.0.0-20220919170432-7a66f970e087/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
+golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
--- a/hashtools/blake2.go
+++ b/hashtools/blake2.go
@ -18,7 +18,8 @@ func init() {

 	Register(blake2bBase.With(&HashTool{
 		Name:          "BLAKE2s-256",
-		Hash:          crypto.BLAKE2s_256,
+		NewHash:       crypto.BLAKE2s_256.New,
+		CryptoHashID:  crypto.BLAKE2b_256,
 		DigestSize:    crypto.BLAKE2s_256.Size(),
 		BlockSize:     crypto.BLAKE2s_256.New().BlockSize(),
 		SecurityLevel: 128,
@ -27,7 +28,8 @@ func init() {
 	}))
 	Register(blake2bBase.With(&HashTool{
 		Name:          "BLAKE2b-256",
-		Hash:          crypto.BLAKE2b_256,
+		NewHash:       crypto.BLAKE2b_256.New,
+		CryptoHashID:  crypto.BLAKE2b_256,
 		DigestSize:    crypto.BLAKE2b_256.Size(),
 		BlockSize:     crypto.BLAKE2b_256.New().BlockSize(),
 		SecurityLevel: 128,
@ -35,7 +37,8 @@ func init() {
 	}))
 	Register(blake2bBase.With(&HashTool{
 		Name:          "BLAKE2b-384",
-		Hash:          crypto.BLAKE2b_384,
+		NewHash:       crypto.BLAKE2b_384.New,
+		CryptoHashID:  crypto.BLAKE2b_384,
 		DigestSize:    crypto.BLAKE2b_384.Size(),
 		BlockSize:     crypto.BLAKE2b_384.New().BlockSize(),
 		SecurityLevel: 192,
@ -43,7 +46,8 @@ func init() {
 	}))
 	Register(blake2bBase.With(&HashTool{
 		Name:          "BLAKE2b-512",
-		Hash:          crypto.BLAKE2b_512,
+		NewHash:       crypto.BLAKE2b_512.New,
+		CryptoHashID:  crypto.BLAKE2b_512,
 		DigestSize:    crypto.BLAKE2b_512.Size(),
 		BlockSize:     crypto.BLAKE2b_512.New().BlockSize(),
 		SecurityLevel: 256,
--- a/hashtools/blake3.go
+++ b/hashtools/blake3.go
@ -0,0 +1,26 @@
+package hashtools
+
+import (
+	"hash"
+
+	"github.com/zeebo/blake3"
+
+	"github.com/safing/jess/lhash"
+)
+
+func init() {
+	Register(&HashTool{
+		Name:          "BLAKE3",
+		NewHash:       newBlake3,
+		DigestSize:    newBlake3().Size(),
+		BlockSize:     newBlake3().BlockSize(),
+		SecurityLevel: 128,
+		Comment:       "cryptographic hash function based on Bao and BLAKE2",
+		Author:        "Jean-Philippe Aumasson et al., 2020",
+		labeledAlg:    lhash.BLAKE3,
+	})
+}
+
+func newBlake3() hash.Hash {
+	return blake3.New()
+}
--- a/hashtools/hashtool.go
+++ b/hashtools/hashtool.go
@ -10,7 +10,9 @@ import (
 // HashTool holds generic information about a hash tool.
 type HashTool struct {
 	Name string
-	Hash crypto.Hash
+
+	NewHash      func() hash.Hash
+	CryptoHashID crypto.Hash

 	DigestSize    int // in bytes
 	BlockSize     int // in bytes
@ -24,7 +26,7 @@ type HashTool struct {

 // New returns a new hash.Hash instance of the hash tool.
 func (ht *HashTool) New() hash.Hash {
-	return ht.Hash.New()
+	return ht.NewHash()
 }

 // With uses the original HashTool as a template for a new HashTool and returns the new HashTool.
@ -32,8 +34,11 @@ func (ht *HashTool) With(changes *HashTool) *HashTool {
 	if changes.Name == "" {
 		changes.Name = ht.Name
 	}
-	if changes.Hash == 0 {
-		changes.Hash = ht.Hash
+	if changes.NewHash == nil {
+		changes.NewHash = ht.NewHash
+	}
+	if changes.CryptoHashID == 0 {
+		changes.CryptoHashID = ht.CryptoHashID
 	}
 	if changes.DigestSize == 0 {
 		changes.DigestSize = ht.DigestSize
--- a/hashtools/sha.go
+++ b/hashtools/sha.go
@ -20,7 +20,8 @@ func init() {
 	}
 	Register(sha2Base.With(&HashTool{
 		Name:          "SHA2-224",
-		Hash:          crypto.SHA224,
+		NewHash:       crypto.SHA224.New,
+		CryptoHashID:  crypto.SHA224,
 		DigestSize:    crypto.SHA224.Size(),
 		BlockSize:     crypto.SHA224.New().BlockSize(),
 		SecurityLevel: 112,
@ -29,7 +30,8 @@ func init() {
 	}))
 	Register(sha2Base.With(&HashTool{
 		Name:          "SHA2-256",
-		Hash:          crypto.SHA256,
+		NewHash:       crypto.SHA256.New,
+		CryptoHashID:  crypto.SHA256,
 		DigestSize:    crypto.SHA256.Size(),
 		BlockSize:     crypto.SHA256.New().BlockSize(),
 		SecurityLevel: 128,
@ -37,7 +39,8 @@ func init() {
 	}))
 	Register(sha2Base.With(&HashTool{
 		Name:          "SHA2-384",
-		Hash:          crypto.SHA384,
+		NewHash:       crypto.SHA384.New,
+		CryptoHashID:  crypto.SHA384,
 		DigestSize:    crypto.SHA384.Size(),
 		BlockSize:     crypto.SHA384.New().BlockSize(),
 		SecurityLevel: 192,
@ -45,7 +48,8 @@ func init() {
 	}))
 	Register(sha2Base.With(&HashTool{
 		Name:          "SHA2-512",
-		Hash:          crypto.SHA512,
+		NewHash:       crypto.SHA512.New,
+		CryptoHashID:  crypto.SHA512,
 		DigestSize:    crypto.SHA512.Size(),
 		BlockSize:     crypto.SHA512.New().BlockSize(),
 		SecurityLevel: 256,
@ -53,7 +57,8 @@ func init() {
 	}))
 	Register(sha2Base.With(&HashTool{
 		Name:          "SHA2-512-224",
-		Hash:          crypto.SHA512_224,
+		NewHash:       crypto.SHA512_224.New,
+		CryptoHashID:  crypto.SHA512_224,
 		DigestSize:    crypto.SHA512_224.Size(),
 		BlockSize:     crypto.SHA512_224.New().BlockSize(),
 		SecurityLevel: 112,
@ -61,7 +66,8 @@ func init() {
 	}))
 	Register(sha2Base.With(&HashTool{
 		Name:          "SHA2-512-256",
-		Hash:          crypto.SHA512_256,
+		NewHash:       crypto.SHA512_256.New,
+		CryptoHashID:  crypto.SHA512_256,
 		DigestSize:    crypto.SHA512_256.Size(),
 		BlockSize:     crypto.SHA512_256.New().BlockSize(),
 		SecurityLevel: 128,
@ -75,7 +81,8 @@ func init() {
 	}
 	Register(sha3Base.With(&HashTool{
 		Name:          "SHA3-224",
-		Hash:          crypto.SHA3_224,
+		NewHash:       crypto.SHA3_224.New,
+		CryptoHashID:  crypto.SHA3_224,
 		DigestSize:    crypto.SHA3_224.Size(),
 		BlockSize:     crypto.SHA3_224.New().BlockSize(),
 		SecurityLevel: 112,
@ -83,7 +90,8 @@ func init() {
 	}))
 	Register(sha3Base.With(&HashTool{
 		Name:          "SHA3-256",
-		Hash:          crypto.SHA3_256,
+		NewHash:       crypto.SHA3_256.New,
+		CryptoHashID:  crypto.SHA3_256,
 		DigestSize:    crypto.SHA3_256.Size(),
 		BlockSize:     crypto.SHA3_256.New().BlockSize(),
 		SecurityLevel: 128,
@ -91,7 +99,8 @@ func init() {
 	}))
 	Register(sha3Base.With(&HashTool{
 		Name:          "SHA3-384",
-		Hash:          crypto.SHA3_384,
+		NewHash:       crypto.SHA3_384.New,
+		CryptoHashID:  crypto.SHA3_384,
 		DigestSize:    crypto.SHA3_384.Size(),
 		BlockSize:     crypto.SHA3_384.New().BlockSize(),
 		SecurityLevel: 192,
@ -99,7 +108,8 @@ func init() {
 	}))
 	Register(sha3Base.With(&HashTool{
 		Name:          "SHA3-512",
-		Hash:          crypto.SHA3_512,
+		NewHash:       crypto.SHA3_512.New,
+		CryptoHashID:  crypto.SHA3_512,
 		DigestSize:    crypto.SHA3_512.Size(),
 		BlockSize:     crypto.SHA3_512.New().BlockSize(),
 		SecurityLevel: 256,
--- a/hashtools/tools_test.go
+++ b/hashtools/tools_test.go
@ -1,16 +1,18 @@
 package hashtools

-import "testing"
+import (
+	"encoding/hex"
+	"testing"
+)

 func TestAll(t *testing.T) {
 	t.Parallel()

-	testData := []byte("The quick brown fox jumps over the lazy dog. ")
+	testData := []byte("The quick brown fox jumps over the lazy dog.")

 	all := AsList()
 	for _, hashTool := range all {
-
-		// take detour in getting hash.Hash for testing
+		// Test hash usage.
 		hash, err := New(hashTool.Name)
 		if err != nil {
 			t.Fatalf("failed to get HashTool %s", hashTool.Name)
@ -30,5 +32,97 @@ func TestAll(t *testing.T) {
 			t.Errorf("hashTool %s is broken or reports invalid digest size. Expected %d, got %d.", hashTool.Name, hashTool.DigestSize, len(sum))
 		}

+		// Check hash outputs.
+		expectedOutputs, ok := testOutputs[hashTool.Name]
+		if !ok {
+			t.Errorf("no test outputs available for %s", hashTool.Name)
+			continue
+		}
+
+		// Test empty string.
+		hash.Reset()
+		_, _ = hash.Write(testInputEmpty)
+		hexSum := hex.EncodeToString(hash.Sum(nil))
+		if hexSum != expectedOutputs[0] {
+			t.Errorf("hash tool %s: test empty: digest mismatch, expected %+v, got %+v",
+				hashTool.Name, expectedOutputs[0], hexSum)
+		}
+
+		// Test fox string.
+		hash.Reset()
+		_, _ = hash.Write(testInputFox)
+		hexSum = hex.EncodeToString(hash.Sum(nil))
+		if hexSum != expectedOutputs[1] {
+			t.Errorf("hash tool %s: test empty: digest mismatch, expected %+v, got %+v",
+				hashTool.Name, expectedOutputs[1], hexSum)
+		}
 	}
 }
+
+var (
+	testInputEmpty = []byte("")
+	testInputFox   = []byte("The quick brown fox jumps over the lazy dog.")
+)
+
+var testOutputs = map[string][2]string{
+	"SHA2-224": {
+		"d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f",
+		"619cba8e8e05826e9b8c519c0a5c68f4fb653e8a3d8aa04bb2c8cd4c",
+	},
+	"SHA2-256": {
+		"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+		"ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c",
+	},
+	"SHA2-384": {
+		"38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
+		"ed892481d8272ca6df370bf706e4d7bc1b5739fa2177aae6c50e946678718fc67a7af2819a021c2fc34e91bdb63409d7",
+	},
+	"SHA2-512": {
+		"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
+		"91ea1245f20d46ae9a037a989f54f1f790f0a47607eeb8a14d12890cea77a1bbc6c7ed9cf205e67b7f2b8fd4c7dfd3a7a8617e45f3c463d481c7e586c39ac1ed",
+	},
+	"SHA2-512-224": {
+		"6ed0dd02806fa89e25de060c19d3ac86cabb87d6a0ddd05c333b84f4",
+		"6d6a9279495ec4061769752e7ff9c68b6b0b3c5a281b7917ce0572de",
+	},
+	"SHA2-512-256": {
+		"c672b8d1ef56ed28ab87c3622c5114069bdd3ad7b8f9737498d0c01ecef0967a",
+		"1546741840f8a492b959d9b8b2344b9b0eb51b004bba35c0aebaac86d45264c3",
+	},
+	"SHA3-224": {
+		"6b4e03423667dbb73b6e15454f0eb1abd4597f9a1b078e3f5b5a6bc7",
+		"2d0708903833afabdd232a20201176e8b58c5be8a6fe74265ac54db0",
+	},
+	"SHA3-256": {
+		"a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a",
+		"a80f839cd4f83f6c3dafc87feae470045e4eb0d366397d5c6ce34ba1739f734d",
+	},
+	"SHA3-384": {
+		"0c63a75b845e4f7d01107d852e4c2485c51a50aaaa94fc61995e71bbee983a2ac3713831264adb47fb6bd1e058d5f004",
+		"1a34d81695b622df178bc74df7124fe12fac0f64ba5250b78b99c1273d4b080168e10652894ecad5f1f4d5b965437fb9",
+	},
+	"SHA3-512": {
+		"a69f73cca23a9ac5c8b567dc185a756e97c982164fe25859e0d1dcc1475c80a615b2123af1f5f94c11e3e9402c3ac558f500199d95b6d3e301758586281dcd26",
+		"18f4f4bd419603f95538837003d9d254c26c23765565162247483f65c50303597bc9ce4d289f21d1c2f1f458828e33dc442100331b35e7eb031b5d38ba6460f8",
+	},
+	"BLAKE2s-256": {
+		"69217a3079908094e11121d042354a7c1f55b6482ca1a51e1b250dfd1ed0eef9",
+		"95bca6e1b761dca1323505cc629949a0e03edf11633cc7935bd8b56f393afcf2",
+	},
+	"BLAKE2b-256": {
+		"0e5751c026e543b2e8ab2eb06099daa1d1e5df47778f7787faab45cdf12fe3a8",
+		"69d7d3b0afba81826d27024c17f7f183659ed0812cf27b382eaef9fdc29b5712",
+	},
+	"BLAKE2b-384": {
+		"b32811423377f52d7862286ee1a72ee540524380fda1724a6f25d7978c6fd3244a6caf0498812673c5e05ef583825100",
+		"16d65de1a3caf1c26247234c39af636284c7e19ca448c0de788272081410778852c94d9cef6b939968d4f872c7f78337",
+	},
+	"BLAKE2b-512": {
+		"786a02f742015903c6c6fd852552d272912f4740e15847618a86e217f71f5419d25e1031afee585313896444934eb04b903a685b1448b755d56f701afe9be2ce",
+		"87af9dc4afe5651b7aa89124b905fd214bf17c79af58610db86a0fb1e0194622a4e9d8e395b352223a8183b0d421c0994b98286cbf8c68a495902e0fe6e2bda2",
+	},
+	"BLAKE3": {
+		"af1349b9f5f9a1a6a0404dea36dcc9499bcb25c9adc112b7cc9a93cae41f3262",
+		"4c9bd68d7f0baa2e167cef98295eb1ec99a3ec8f0656b33dbae943b387f31d5d",
+	},
+}
--- a/letter-file.go
+++ b/letter-file.go
@ -3,8 +3,8 @@ package jess
 import (
 	"errors"

-	"github.com/safing/portbase/container"
-	"github.com/safing/portbase/formats/dsd"
+	"github.com/safing/structures/container"
+	"github.com/safing/structures/dsd"
 )

 /*
--- a/letter-wire.go
+++ b/letter-wire.go
@ -3,7 +3,7 @@ package jess
 import (
 	"errors"

-	"github.com/safing/portbase/container"
+	"github.com/safing/structures/container"
 )

 /*
--- a/letter.go
+++ b/letter.go
@ -10,8 +10,8 @@ import (
 	"encoding/json"
 	"fmt"

-	"github.com/safing/portbase/container"
-	"github.com/safing/portbase/formats/dsd"
+	"github.com/safing/structures/container"
+	"github.com/safing/structures/dsd"
 )

 // Letter is the data format for encrypted data at rest or in transit.
--- a/lhash/algs.go
+++ b/lhash/algs.go
@ -18,6 +18,8 @@ import (
 	// Register BLAKE2 in Go's internal registry.
 	_ "golang.org/x/crypto/blake2b"
 	_ "golang.org/x/crypto/blake2s"
+
+	"github.com/zeebo/blake3"
 )

 // Algorithm is an identifier for a hash function.
@ -41,6 +43,8 @@ const (
 	BLAKE2b_256 Algorithm = 25
 	BLAKE2b_384 Algorithm = 26
 	BLAKE2b_512 Algorithm = 27
+
+	BLAKE3 Algorithm = 32
 )

 func (a Algorithm) new() hash.Hash {
@ -70,7 +74,7 @@ func (a Algorithm) new() hash.Hash {
 	case SHA3_512:
 		return crypto.SHA3_512.New()

-	// BLAKE2
+		// BLAKE2
 	case BLAKE2s_256:
 		return crypto.BLAKE2s_256.New()
 	case BLAKE2b_256:
@ -80,6 +84,10 @@ func (a Algorithm) new() hash.Hash {
 	case BLAKE2b_512:
 		return crypto.BLAKE2b_512.New()

+		// BLAKE3
+	case BLAKE3:
+		return blake3.New()
+
 	default:
 		return nil
 	}
@ -122,6 +130,10 @@ func (a Algorithm) String() string {
 	case BLAKE2b_512:
 		return "BLAKE2b_512"

+		// BLAKE3
+	case BLAKE3:
+		return "BLAKE3"
+
 	default:
 		return "unknown"
 	}
--- a/lhash/labeledhash.go
+++ b/lhash/labeledhash.go
@ -12,7 +12,7 @@ import (

 	"github.com/mr-tron/base58"

-	"github.com/safing/portbase/container"
+	"github.com/safing/structures/container"
 )

 // LabeledHash represents a typed hash value.
--- a/lhash/labeledhash_test.go
+++ b/lhash/labeledhash_test.go
@ -32,27 +32,29 @@ func testAlgorithm(t *testing.T, alg Algorithm, emptyHex, foxHex string) {
 	// test empty
 	lh := Digest(alg, testEmpty)
 	if !bytes.Equal(lh.Bytes()[2:], emptyBytes) {
-		t.Errorf("alg %d: test empty: digest mismatch, expected %+v, got %+v", alg, emptyBytes, lh.Bytes()[2:])
+		t.Errorf("alg %s: test empty: digest mismatch, expected %+v, got %+v",
+			alg, hex.EncodeToString(emptyBytes), hex.EncodeToString(lh.Bytes()[2:]))
 	}

 	// test fox
 	lh = Digest(alg, testFoxData)
 	if !bytes.Equal(lh.Bytes()[2:], foxBytes) {
-		t.Errorf("alg %d: test fox: digest mismatch, expected %+v, got %+v", alg, foxBytes, lh.Bytes()[2:])
+		t.Errorf("alg %s: test fox: digest mismatch, expected %+v, got %+v",
+			alg, hex.EncodeToString(foxBytes), hex.EncodeToString(lh.Bytes()[2:]))
 	}

 	// test matching with serialized/loaded labeled hash
 	if !lh.Matches(testFoxData) {
-		t.Errorf("alg %d: failed to match reference", alg)
+		t.Errorf("alg %s: failed to match reference", alg)
 	}
 	if !lh.MatchesString(testFox) {
-		t.Errorf("alg %d: failed to match reference", alg)
+		t.Errorf("alg %s: failed to match reference", alg)
 	}
 	if lh.Matches(noMatchData) {
-		t.Errorf("alg %d: failed to non-match garbage", alg)
+		t.Errorf("alg %s: failed to non-match garbage", alg)
 	}
 	if lh.MatchesString(noMatch) {
-		t.Errorf("alg %d: failed to non-match garbage", alg)
+		t.Errorf("alg %s: failed to non-match garbage", alg)
 	}

 	// Test representations
@ -61,7 +63,7 @@ func testAlgorithm(t *testing.T, alg Algorithm, emptyHex, foxHex string) {
 	lhs := Digest(alg, testFoxData)
 	loaded, err := FromHex(lhs.Hex())
 	if err != nil {
-		t.Errorf("alg %d: failed to load from hex string: %s", alg, err)
+		t.Errorf("alg %s: failed to load from hex string: %s", alg, err)
 		return
 	}
 	testFormat(t, alg, lhs, loaded)
@ -70,7 +72,7 @@ func testAlgorithm(t *testing.T, alg Algorithm, emptyHex, foxHex string) {
 	lhs = Digest(alg, testFoxData)
 	loaded, err = FromBase64(lhs.Base64())
 	if err != nil {
-		t.Errorf("alg %d: failed to load from base64 string: %s", alg, err)
+		t.Errorf("alg %s: failed to load from base64 string: %s", alg, err)
 		return
 	}
 	testFormat(t, alg, lhs, loaded)
@ -79,7 +81,7 @@ func testAlgorithm(t *testing.T, alg Algorithm, emptyHex, foxHex string) {
 	lhs = Digest(alg, testFoxData)
 	loaded, err = FromBase58(lhs.Base58())
 	if err != nil {
-		t.Errorf("alg %d: failed to load from base58 string: %s", alg, err)
+		t.Errorf("alg %s: failed to load from base58 string: %s", alg, err)
 		return
 	}
 	testFormat(t, alg, lhs, loaded)
@ -92,47 +94,88 @@ func testFormat(t *testing.T, alg Algorithm, lhs, loaded *LabeledHash) {

 	// Test equality.
 	if !lhs.Equal(loaded) {
-		t.Errorf("alg %d: equality test failed", alg)
+		t.Errorf("alg %s: equality test failed", alg)
 	}
 	if lhs.Equal(noMatchLH) {
-		t.Errorf("alg %d: non-equality test failed", alg)
+		t.Errorf("alg %s: non-equality test failed", alg)
 	}

 	// Test matching.
 	if !loaded.Matches(testFoxData) {
-		t.Errorf("alg %d: failed to match reference", alg)
+		t.Errorf("alg %s: failed to match reference", alg)
 	}
 	if !loaded.MatchesString(testFox) {
-		t.Errorf("alg %d: failed to match reference", alg)
+		t.Errorf("alg %s: failed to match reference", alg)
 	}
 	if loaded.Matches(noMatchData) {
-		t.Errorf("alg %d: failed to non-match garbage", alg)
+		t.Errorf("alg %s: failed to non-match garbage", alg)
 	}
 	if loaded.MatchesString(noMatch) {
-		t.Errorf("alg %d: failed to non-match garbage", alg)
+		t.Errorf("alg %s: failed to non-match garbage", alg)
 	}
 }

 func TestHash(t *testing.T) {
 	t.Parallel()

+	testAlgorithm(t, SHA2_224,
+		"d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f",
+		"619cba8e8e05826e9b8c519c0a5c68f4fb653e8a3d8aa04bb2c8cd4c",
+	)
 	testAlgorithm(t, SHA2_256,
 		"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
 		"ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c",
 	)
-
+	testAlgorithm(t, SHA2_384,
+		"38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
+		"ed892481d8272ca6df370bf706e4d7bc1b5739fa2177aae6c50e946678718fc67a7af2819a021c2fc34e91bdb63409d7",
+	)
 	testAlgorithm(t, SHA2_512,
 		"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
 		"91ea1245f20d46ae9a037a989f54f1f790f0a47607eeb8a14d12890cea77a1bbc6c7ed9cf205e67b7f2b8fd4c7dfd3a7a8617e45f3c463d481c7e586c39ac1ed",
 	)
-
+	testAlgorithm(t, SHA2_512_224,
+		"6ed0dd02806fa89e25de060c19d3ac86cabb87d6a0ddd05c333b84f4",
+		"6d6a9279495ec4061769752e7ff9c68b6b0b3c5a281b7917ce0572de",
+	)
+	testAlgorithm(t, SHA2_512_256,
+		"c672b8d1ef56ed28ab87c3622c5114069bdd3ad7b8f9737498d0c01ecef0967a",
+		"1546741840f8a492b959d9b8b2344b9b0eb51b004bba35c0aebaac86d45264c3",
+	)
+	testAlgorithm(t, SHA3_224,
+		"6b4e03423667dbb73b6e15454f0eb1abd4597f9a1b078e3f5b5a6bc7",
+		"2d0708903833afabdd232a20201176e8b58c5be8a6fe74265ac54db0",
+	)
+	testAlgorithm(t, SHA3_256,
+		"a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a",
+		"a80f839cd4f83f6c3dafc87feae470045e4eb0d366397d5c6ce34ba1739f734d",
+	)
+	testAlgorithm(t, SHA3_384,
+		"0c63a75b845e4f7d01107d852e4c2485c51a50aaaa94fc61995e71bbee983a2ac3713831264adb47fb6bd1e058d5f004",
+		"1a34d81695b622df178bc74df7124fe12fac0f64ba5250b78b99c1273d4b080168e10652894ecad5f1f4d5b965437fb9",
+	)
 	testAlgorithm(t, SHA3_512,
 		"a69f73cca23a9ac5c8b567dc185a756e97c982164fe25859e0d1dcc1475c80a615b2123af1f5f94c11e3e9402c3ac558f500199d95b6d3e301758586281dcd26",
 		"18f4f4bd419603f95538837003d9d254c26c23765565162247483f65c50303597bc9ce4d289f21d1c2f1f458828e33dc442100331b35e7eb031b5d38ba6460f8",
 	)
-
+	testAlgorithm(t, BLAKE2s_256,
+		"69217a3079908094e11121d042354a7c1f55b6482ca1a51e1b250dfd1ed0eef9",
+		"95bca6e1b761dca1323505cc629949a0e03edf11633cc7935bd8b56f393afcf2",
+	)
+	testAlgorithm(t, BLAKE2b_256,
+		"0e5751c026e543b2e8ab2eb06099daa1d1e5df47778f7787faab45cdf12fe3a8",
+		"69d7d3b0afba81826d27024c17f7f183659ed0812cf27b382eaef9fdc29b5712",
+	)
+	testAlgorithm(t, BLAKE2b_384,
+		"b32811423377f52d7862286ee1a72ee540524380fda1724a6f25d7978c6fd3244a6caf0498812673c5e05ef583825100",
+		"16d65de1a3caf1c26247234c39af636284c7e19ca448c0de788272081410778852c94d9cef6b939968d4f872c7f78337",
+	)
 	testAlgorithm(t, BLAKE2b_512,
 		"786a02f742015903c6c6fd852552d272912f4740e15847618a86e217f71f5419d25e1031afee585313896444934eb04b903a685b1448b755d56f701afe9be2ce",
 		"87af9dc4afe5651b7aa89124b905fd214bf17c79af58610db86a0fb1e0194622a4e9d8e395b352223a8183b0d421c0994b98286cbf8c68a495902e0fe6e2bda2",
 	)
+	testAlgorithm(t, BLAKE3,
+		"af1349b9f5f9a1a6a0404dea36dcc9499bcb25c9adc112b7cc9a93cae41f3262",
+		"4c9bd68d7f0baa2e167cef98295eb1ec99a3ec8f0656b33dbae943b387f31d5d",
+	)
 }
--- a/session.go
+++ b/session.go
@ -369,7 +369,7 @@ func newSession(e *Envelope) (*Session, error) { //nolint:maintidx
 	// final checks
 	// ============

-	// check requirements requirements
+	// check requirements
 	if s.toolRequirements.Empty() {
 		return nil, errors.New("envelope excludes all security requirements, no meaningful operation possible")
 	}
@ -518,7 +518,7 @@ func (s *Session) checkSecurityLevel(levelToCheck int, subject func() string) er
 	switch {
 	case minimumSecurityLevel > 0:
 		// check against minimumSecurityLevel
-		// minimumSecurityLevel overrides other checks
+		// (overrides other checks)
 		if levelToCheck < minimumSecurityLevel {
 			return fmt.Errorf(
 				`%s with a security level of %d is weaker than the desired security level of %d`,
--- a/signet.go
+++ b/signet.go
@ -11,7 +11,7 @@ import (
 	uuid "github.com/satori/go.uuid"

 	"github.com/safing/jess/tools"
-	"github.com/safing/portbase/formats/dsd"
+	"github.com/safing/structures/dsd"
 )

 // Special signet types.
--- a/suites.go
+++ b/suites.go
@ -1,86 +1,27 @@
 package jess

+// Currently Recommended Suites.
+var (
+	// SuiteKey is a cipher suite for encryption with a key.
+	SuiteKey = SuiteKeyV1
+	// SuitePassword is a cipher suite for encryption with a password.
+	SuitePassword = SuitePasswordV1
+	// SuiteRcptOnly is a cipher suite for encrypting for someone, but without verifying the sender/source.
+	SuiteRcptOnly = SuiteRcptOnlyV1
+	// SuiteSign is a cipher suite for signing (no encryption).
+	SuiteSign = SuiteSignV1
+	// SuiteSignFile is a cipher suite for signing files (no encryption).
+	SuiteSignFile = SuiteSignFileV1
+	// SuiteComplete is a cipher suite for both encrypting for someone and signing.
+	SuiteComplete = SuiteCompleteV1
+	// SuiteWire is a cipher suite for network communication, including authentication of the server, but not the client.
+	SuiteWire = SuiteWireV1
+)
+
+// Suite Lists.
 var (
-	// Suite Lists.
 	suitesMap  = make(map[string]*Suite)
 	suitesList []*Suite
-
-	// Suite Definitions.
-
-	// SuiteKeyV1 is a cipher suite for encryption with a key.
-	SuiteKeyV1 = registerSuite(&Suite{
-		ID:            "key_v1",
-		Tools:         []string{"HKDF(BLAKE2b-256)", "CHACHA20-POLY1305"},
-		Provides:      NewRequirements(),
-		SecurityLevel: 128,
-		Status:        SuiteStatusRecommended,
-	})
-	// SuitePasswordV1 is a cipher suite for encryption with a password.
-	SuitePasswordV1 = registerSuite(&Suite{
-		ID:            "pw_v1",
-		Tools:         []string{"SCRYPT-20", "HKDF(BLAKE2b-256)", "CHACHA20-POLY1305"},
-		Provides:      NewRequirements(),
-		SecurityLevel: 128,
-		Status:        SuiteStatusRecommended,
-	})
-	// SuiteRcptOnlyV1 is a cipher suite for encrypting for someone, but without verifying the sender/source.
-	SuiteRcptOnlyV1 = registerSuite(&Suite{
-		ID:            "rcpt_v1",
-		Tools:         []string{"ECDH-X25519", "HKDF(BLAKE2b-256)", "CHACHA20-POLY1305"},
-		Provides:      NewRequirements().Remove(SenderAuthentication),
-		SecurityLevel: 128,
-		Status:        SuiteStatusRecommended,
-	})
-	// SuiteSignV1 is a cipher suite for signing (no encryption).
-	SuiteSignV1 = registerSuite(&Suite{
-		ID:            "sign_v1",
-		Tools:         []string{"Ed25519(BLAKE2b-256)"},
-		Provides:      newEmptyRequirements().Add(Integrity).Add(SenderAuthentication),
-		SecurityLevel: 128,
-		Status:        SuiteStatusRecommended,
-	})
-	// SuiteSignFileV1 is a cipher suite for signing files (no encryption).
-	// SHA2_256 is chosen for better compatibility with other tool sets and workflows.
-	SuiteSignFileV1 = registerSuite(&Suite{
-		ID:            "signfile_v1",
-		Tools:         []string{"Ed25519(SHA2-256)"},
-		Provides:      newEmptyRequirements().Add(Integrity).Add(SenderAuthentication),
-		SecurityLevel: 128,
-		Status:        SuiteStatusRecommended,
-	})
-	// SuiteCompleteV1 is a cipher suite for both encrypting for someone and signing.
-	SuiteCompleteV1 = registerSuite(&Suite{
-		ID:            "v1",
-		Tools:         []string{"ECDH-X25519", "Ed25519(BLAKE2b-256)", "HKDF(BLAKE2b-256)", "CHACHA20-POLY1305"},
-		Provides:      NewRequirements(),
-		SecurityLevel: 128,
-		Status:        SuiteStatusRecommended,
-	})
-	// SuiteWireV1 is a cipher suite for network communication, including authentication of the server, but not the client.
-	SuiteWireV1 = registerSuite(&Suite{
-		ID:            "w1",
-		Tools:         []string{"ECDH-X25519", "HKDF(BLAKE2b-256)", "CHACHA20-POLY1305"},
-		Provides:      NewRequirements().Remove(SenderAuthentication),
-		SecurityLevel: 128,
-		Status:        SuiteStatusRecommended,
-	})
-
-	// Currently Recommended Suites.
-
-	// SuiteKey is a a cipher suite for encryption with a key.
-	SuiteKey = SuiteKeyV1
-	// SuitePassword is a a cipher suite for encryption with a password.
-	SuitePassword = SuitePasswordV1
-	// SuiteRcptOnly is a a cipher suite for encrypting for someone, but without verifying the sender/source.
-	SuiteRcptOnly = SuiteRcptOnlyV1
-	// SuiteSign is a a cipher suite for signing (no encryption).
-	SuiteSign = SuiteSignV1
-	// SuiteSignFile is a a cipher suite for signing files (no encryption).
-	SuiteSignFile = SuiteSignFileV1
-	// SuiteComplete is a a cipher suite for both encrypting for someone and signing.
-	SuiteComplete = SuiteCompleteV1
-	// SuiteWire is a a cipher suite for network communication, including authentication of the server, but not the client.
-	SuiteWire = SuiteWireV1
 )

 func registerSuite(suite *Suite) (suiteID string) {
--- a/suites_test.go
+++ b/suites_test.go
@ -294,7 +294,7 @@ func suiteBullshitCheck(suite *Suite) error { //nolint:maintidx
 	// final checks
 	// ============

-	// check requirements requirements
+	// check requirements
 	if s.toolRequirements.Empty() {
 		return errors.New("suite does not provide any security attributes")
 	}
--- a/suites_v1.go
+++ b/suites_v1.go
@ -0,0 +1,61 @@
+package jess //nolint:dupl
+
+var (
+	// SuiteKeyV1 is a cipher suite for encryption with a key.
+	SuiteKeyV1 = registerSuite(&Suite{
+		ID:            "key_v1",
+		Tools:         []string{"HKDF(BLAKE2b-256)", "CHACHA20-POLY1305"},
+		Provides:      NewRequirements(),
+		SecurityLevel: 128,
+		Status:        SuiteStatusRecommended,
+	})
+	// SuitePasswordV1 is a cipher suite for encryption with a password.
+	SuitePasswordV1 = registerSuite(&Suite{
+		ID:            "pw_v1",
+		Tools:         []string{"SCRYPT-20", "HKDF(BLAKE2b-256)", "CHACHA20-POLY1305"},
+		Provides:      NewRequirements(),
+		SecurityLevel: 128,
+		Status:        SuiteStatusRecommended,
+	})
+	// SuiteRcptOnlyV1 is a cipher suite for encrypting for someone, but without verifying the sender/source.
+	SuiteRcptOnlyV1 = registerSuite(&Suite{
+		ID:            "rcpt_v1",
+		Tools:         []string{"ECDH-X25519", "HKDF(BLAKE2b-256)", "CHACHA20-POLY1305"},
+		Provides:      NewRequirements().Remove(SenderAuthentication),
+		SecurityLevel: 128,
+		Status:        SuiteStatusRecommended,
+	})
+	// SuiteSignV1 is a cipher suite for signing (no encryption).
+	SuiteSignV1 = registerSuite(&Suite{
+		ID:            "sign_v1",
+		Tools:         []string{"Ed25519(BLAKE2b-256)"},
+		Provides:      newEmptyRequirements().Add(Integrity).Add(SenderAuthentication),
+		SecurityLevel: 128,
+		Status:        SuiteStatusRecommended,
+	})
+	// SuiteSignFileV1 is a cipher suite for signing files (no encryption).
+	// SHA2_256 is chosen for better compatibility with other tool sets and workflows.
+	SuiteSignFileV1 = registerSuite(&Suite{
+		ID:            "signfile_v1",
+		Tools:         []string{"Ed25519(SHA2-256)"},
+		Provides:      newEmptyRequirements().Add(Integrity).Add(SenderAuthentication),
+		SecurityLevel: 128,
+		Status:        SuiteStatusRecommended,
+	})
+	// SuiteCompleteV1 is a cipher suite for both encrypting for someone and signing.
+	SuiteCompleteV1 = registerSuite(&Suite{
+		ID:            "v1",
+		Tools:         []string{"ECDH-X25519", "Ed25519(BLAKE2b-256)", "HKDF(BLAKE2b-256)", "CHACHA20-POLY1305"},
+		Provides:      NewRequirements(),
+		SecurityLevel: 128,
+		Status:        SuiteStatusRecommended,
+	})
+	// SuiteWireV1 is a cipher suite for network communication, including authentication of the server, but not the client.
+	SuiteWireV1 = registerSuite(&Suite{
+		ID:            "w1",
+		Tools:         []string{"ECDH-X25519", "HKDF(BLAKE2b-256)", "CHACHA20-POLY1305"},
+		Provides:      NewRequirements().Remove(SenderAuthentication),
+		SecurityLevel: 128,
+		Status:        SuiteStatusRecommended,
+	})
+)
--- a/suites_v2.go
+++ b/suites_v2.go
@ -0,0 +1,61 @@
+package jess //nolint:dupl
+
+var (
+	// SuiteKeyV2 is a cipher suite for encryption with a key.
+	SuiteKeyV2 = registerSuite(&Suite{
+		ID:            "key_v2",
+		Tools:         []string{"BLAKE3-KDF", "CHACHA20-POLY1305"},
+		Provides:      NewRequirements(),
+		SecurityLevel: 128,
+		Status:        SuiteStatusPermitted,
+	})
+	// SuitePasswordV2 is a cipher suite for encryption with a password.
+	SuitePasswordV2 = registerSuite(&Suite{
+		ID:            "pw_v2",
+		Tools:         []string{"SCRYPT-20", "BLAKE3-KDF", "CHACHA20-POLY1305"},
+		Provides:      NewRequirements(),
+		SecurityLevel: 128,
+		Status:        SuiteStatusPermitted,
+	})
+	// SuiteRcptOnlyV2 is a cipher suite for encrypting for someone, but without verifying the sender/source.
+	SuiteRcptOnlyV2 = registerSuite(&Suite{
+		ID:            "rcpt_v2",
+		Tools:         []string{"ECDH-X25519", "BLAKE3-KDF", "CHACHA20-POLY1305"},
+		Provides:      NewRequirements().Remove(SenderAuthentication),
+		SecurityLevel: 128,
+		Status:        SuiteStatusPermitted,
+	})
+	// SuiteSignV2 is a cipher suite for signing (no encryption).
+	SuiteSignV2 = registerSuite(&Suite{
+		ID:            "sign_v2",
+		Tools:         []string{"Ed25519(BLAKE3)"},
+		Provides:      newEmptyRequirements().Add(Integrity).Add(SenderAuthentication),
+		SecurityLevel: 128,
+		Status:        SuiteStatusPermitted,
+	})
+	// SuiteSignFileV2 is a cipher suite for signing files (no encryption).
+	// SHA2_256 is chosen for better compatibility with other tool sets and workflows.
+	SuiteSignFileV2 = registerSuite(&Suite{
+		ID:            "signfile_v2",
+		Tools:         []string{"Ed25519(BLAKE3)"},
+		Provides:      newEmptyRequirements().Add(Integrity).Add(SenderAuthentication),
+		SecurityLevel: 128,
+		Status:        SuiteStatusPermitted,
+	})
+	// SuiteCompleteV2 is a cipher suite for both encrypting for someone and signing.
+	SuiteCompleteV2 = registerSuite(&Suite{
+		ID:            "v2",
+		Tools:         []string{"ECDH-X25519", "Ed25519(BLAKE3)", "BLAKE3-KDF", "CHACHA20-POLY1305"},
+		Provides:      NewRequirements(),
+		SecurityLevel: 128,
+		Status:        SuiteStatusPermitted,
+	})
+	// SuiteWireV2 is a cipher suite for network communication, including authentication of the server, but not the client.
+	SuiteWireV2 = registerSuite(&Suite{
+		ID:            "w2",
+		Tools:         []string{"ECDH-X25519", "BLAKE3-KDF", "CHACHA20-POLY1305"},
+		Provides:      NewRequirements().Remove(SenderAuthentication),
+		SecurityLevel: 128,
+		Status:        SuiteStatusPermitted,
+	})
+)
--- a/tools/all/all.go
+++ b/tools/all/all.go
@ -3,6 +3,7 @@ package all

 import (
 	// Import all tool subpackages.
+	_ "github.com/safing/jess/tools/blake3"
 	_ "github.com/safing/jess/tools/ecdh"
 	_ "github.com/safing/jess/tools/gostdlib"
 )
--- a/tools/blake3/kdf.go
+++ b/tools/blake3/kdf.go
@ -0,0 +1,68 @@
+package blake3
+
+import (
+	"errors"
+	"fmt"
+	"io"
+
+	"github.com/zeebo/blake3"
+
+	"github.com/safing/jess/tools"
+)
+
+func init() {
+	tools.Register(&tools.Tool{
+		Info: &tools.ToolInfo{
+			Name:          "BLAKE3-KDF",
+			Purpose:       tools.PurposeKeyDerivation,
+			SecurityLevel: 128,
+			Comment:       "cryptographic hash function based on Bao and BLAKE2",
+			Author:        "Jean-Philippe Aumasson et al., 2020",
+		},
+		Factory: func() tools.ToolLogic { return &KDF{} },
+	})
+}
+
+// KDF implements the cryptographic interface for BLAKE3 key derivation.
+type KDF struct {
+	tools.ToolLogicBase
+	reader io.Reader
+}
+
+// InitKeyDerivation implements the ToolLogic interface.
+func (keyder *KDF) InitKeyDerivation(nonce []byte, material ...[]byte) error {
+	// Check params.
+	if len(material) < 1 || len(material[0]) == 0 || len(nonce) == 0 {
+		return errors.New("must supply at least one key and a nonce as key material")
+	}
+
+	// Setup KDF.
+	// Use nonce as kdf context.
+	h := blake3.NewDeriveKey(string(nonce))
+	// Then add all the key material.
+	for _, m := range material {
+		_, _ = h.Write(m)
+	}
+	// Get key reader.
+	keyder.reader = h.Digest()
+
+	return nil
+}
+
+// DeriveKey implements the ToolLogic interface.
+func (keyder *KDF) DeriveKey(size int) ([]byte, error) {
+	key := make([]byte, size)
+	return key, keyder.DeriveKeyWriteTo(key)
+}
+
+// DeriveKeyWriteTo implements the ToolLogic interface.
+func (keyder *KDF) DeriveKeyWriteTo(newKey []byte) error {
+	n, err := io.ReadFull(keyder.reader, newKey)
+	if err != nil {
+		return fmt.Errorf("failed to generate key: %w", err)
+	}
+	if n != len(newKey) {
+		return errors.New("failed to generate key: EOF")
+	}
+	return nil
+}
--- a/tools/ecdh/nist.go
+++ b/tools/ecdh/nist.go
@ -9,7 +9,7 @@ import (
 	"github.com/aead/ecdh"

 	"github.com/safing/jess/tools"
-	"github.com/safing/portbase/container"
+	"github.com/safing/structures/container"
 )

 var nistCurveInfo = &tools.ToolInfo{
--- a/tools/ecdh/x25519.go
+++ b/tools/ecdh/x25519.go
@ -7,7 +7,7 @@ import (
 	"github.com/aead/ecdh"

 	"github.com/safing/jess/tools"
-	"github.com/safing/portbase/container"
+	"github.com/safing/structures/container"
 )

 func init() {
--- a/tools/gostdlib/ed25519.go
+++ b/tools/gostdlib/ed25519.go
@ -6,7 +6,7 @@ import (
 	"errors"

 	"github.com/safing/jess/tools"
-	"github.com/safing/portbase/container"
+	"github.com/safing/structures/container"
 )

 func init() {
--- a/tools/gostdlib/hkdf.go
+++ b/tools/gostdlib/hkdf.go
@ -8,7 +8,7 @@ import (
 	"golang.org/x/crypto/hkdf"

 	"github.com/safing/jess/tools"
-	"github.com/safing/portbase/container"
+	"github.com/safing/structures/container"
 )

 func init() {
--- a/tools/gostdlib/rsa-keys.go
+++ b/tools/gostdlib/rsa-keys.go
@ -8,7 +8,7 @@ import (
 	"math/big"

 	"github.com/safing/jess/tools"
-	"github.com/safing/portbase/container"
+	"github.com/safing/structures/container"
 )

 type rsaBase struct {
--- a/tools/gostdlib/rsa-pss.go
+++ b/tools/gostdlib/rsa-pss.go
@ -2,6 +2,7 @@ package gostdlib

 import (
 	"crypto/rsa"
+	"errors"

 	"github.com/safing/jess/tools"
 )
@ -38,11 +39,14 @@ func (pss *RsaPSS) Sign(data, associatedData []byte, signet tools.SignetInt) ([]
 	if err != nil {
 		return nil, err
 	}
+	if pss.HashTool().CryptoHashID == 0 {
+		return nil, errors.New("tool PSS is only compatible with Golang crypto.Hash hash functions")
+	}

 	return rsa.SignPSS(
 		pss.Helper().Random(),
 		rsaPrivKey,
-		pss.HashTool().Hash,
+		pss.HashTool().CryptoHashID,
 		hashsum,
 		nil, // *rsa.PSSOptions
 	)
@ -59,10 +63,13 @@ func (pss *RsaPSS) Verify(data, associatedData, signature []byte, signet tools.S
 	if err != nil {
 		return err
 	}
+	if pss.HashTool().CryptoHashID == 0 {
+		return errors.New("tool PSS is only compatible with Golang crypto.Hash hash functions")
+	}

 	return rsa.VerifyPSS(
 		rsaPubKey,
-		pss.HashTool().Hash,
+		pss.HashTool().CryptoHashID,
 		hashsum,
 		signature,
 		nil, // *rsa.PSSOptions
--- a/tools/toollogic.go
+++ b/tools/toollogic.go
@ -101,7 +101,7 @@ type ToolLogic interface {

 	// Signet Handling

-	// LoadKey loads a key from the Signet's key storage (`Key`) into the Signet's cache (`Loaded*`). If the Signet is marked as public, the storage is expected to only have the public key present, only only it will be loaded.
+	// LoadKey loads a key from the Signet's key storage (`Key`) into the Signet's cache (`Loaded*`). If the Signet is marked as public, the storage is expected to only have the public key present, only it will be loaded.
 	// Must work with a static (no Setup()) ToolLogic.
 	// Must be overridden by tools that declare FeatureKeyExchange, FeatureKeyEncapsulation or FeatureSigning.
 	LoadKey(SignetInt) error
--- a/truststores/io.go
+++ b/truststores/io.go
@ -6,7 +6,7 @@ import (
 	"os"

 	"github.com/safing/jess"
-	"github.com/safing/portbase/formats/dsd"
+	"github.com/safing/structures/dsd"
 )

 // WriteSignetToFile serializes the signet and writes it to the given file.
--- a/truststores/keyring.go
+++ b/truststores/keyring.go
@ -58,7 +58,7 @@ func (krts *KeyringTrustStore) GetSignet(id string, recipient bool) (*jess.Signe
 	// Get data from keyring.
 	data, err := keyring.Get(krts.serviceName, id)
 	if err != nil {
-		return nil, fmt.Errorf("%w: %s", jess.ErrSignetNotFound, err)
+		return nil, fmt.Errorf("%w: %w", jess.ErrSignetNotFound, err)
 	}

 	// Parse and return.
@ -111,7 +111,7 @@ func (krts *KeyringTrustStore) GetEnvelope(name string) (*jess.Envelope, error)
 	// Get data from keyring.
 	data, err := keyring.Get(krts.serviceName, name)
 	if err != nil {
-		return nil, fmt.Errorf("%w: %s", jess.ErrEnvelopeNotFound, err)
+		return nil, fmt.Errorf("%w: %w", jess.ErrEnvelopeNotFound, err)
 	}

 	// Parse and return.
Author	SHA1	Message	Date
Daniel	4c4b4471d8	Add support for json file signing	2024-11-08 14:28:09 +01:00
Daniel	4fbce7d649	Switch from portbase to structures lib, update build and version system	2024-06-24 09:48:48 +02:00
Daniel	393206b5e2	Bump version	2023-12-19 15:48:11 +01:00
Daniel	c475557cd1	Update deps	2023-12-19 15:48:05 +01:00
Daniel Hovie	2a3994208b	Merge pull request #97 from safing/feature/blake3 Add support for BLAKE3, add Suites with BLAKE3	2023-12-19 15:42:34 +01:00
Daniel	a93f8142fc	Remove CodeQL workflow	2023-12-18 20:28:07 +01:00
Daniel	914459cb99	Add support for BLAKE3, add Suites with BLAKE3	2023-11-22 14:37:23 +01:00
Daniel	e907a26493	Bump version	2023-10-25 14:10:15 +02:00
Daniel Hovie	d57426d89b	Merge pull request #96 from safing/feature/checksums Add support for embedded text, json and yaml checksums	2023-10-25 14:08:11 +02:00
Daniel	a1424bb197	Update deps	2023-10-25 14:07:45 +02:00
Daniel	fa3982d07a	Fix linter warnings	2023-09-26 13:26:44 +02:00
Daniel	1125f87df4	Update go workflow	2023-09-26 13:07:44 +02:00
Daniel	863e870b23	Update golangci config	2023-09-26 13:06:16 +02:00
Daniel	9c7f6954e6	Add support for embedded text, json and yaml checksums	2023-09-26 13:05:31 +02:00
Daniel	ed928f9a3e	Issue Mgmt: Add label actions config	2023-08-30 14:01:27 +02:00
Daniel	6c91e759a1	Update issue management workflows	2023-08-30 13:01:01 +02:00