Signify is the first OpenBSD code that I've ever read from start to finish - (minus the external libraries like the Ed25519 package). Watching the initial checkins, followed by the amazing improvement in the command line options within a a few weeks of checking by external contributors - the final product is much, much better than the first checkin. What I really appreciate, is that they managed to strike a balance between keeping the tool 100% lean, and adding tiny bits of syntactic sugar (such as the Untrusted Comment field, and, the ability to simultaneously verify the SHA256 hash and signature of a list of files.)

Teaching people how to use the tool, from the point of generating keys, to generating signature manifests for a packages, to signing, and verifying takes < 3 minutes for someone who already knows what a hash is.

And, the complete absence of CA architecture, or web-of-trust - and an focus on sharing their (really short) public keys in a visible and widely distributed manner just makes the system so much simpler to understand.

For example - this literally is all you have to do on OS X to have a complete end-end signing/manifest/verification system:

Generate your keypair:

   signify -G -p pub -s sec

Your public key is tiny, and can be shared anywhere/everywhere:

  RWRGNg6NU+JAt9ju3ItQfOMmDhXmEkHp28mej8ickx4lOJjE2Tg2DxEO

Created your manifest (On OpenBSD you just go "sha256 file* ")

   shasum -a 256 file* | awk '{print "SHA256 ("$2") = "$1}'> manif

Sign your manifest, and embed the signature in the resulting sig file:

   signify -S -e -s sec -m manif -x manif.sig

And now, anybody who has your public key, can verify that manifest:

   signify -C  -p pub -x manif.sig

That's it, that's the entire system from beginning to end.