diff --git a/pkgs/tools/security/minisign/default.nix b/pkgs/tools/security/minisign/default.nix
new file mode 100644
index 000000000000..48de14ddce6c
--- /dev/null
+++ b/pkgs/tools/security/minisign/default.nix
@@ -0,0 +1,25 @@
+{ stdenv, fetchurl, cmake, libsodium }:
+
+stdenv.mkDerivation rec {
+  name = "minisign-${version}";
+  version = "0.4";
+
+  src = fetchurl {
+    url = "https://github.com/jedisct1/minisign/archive/${version}.tar.gz";
+    sha256 = "1k1dk6piaz8pw4b9zg55n4wcpyc301mkxb873njm8mki7r8raxnw";
+  };
+
+  buildInputs = [ cmake libsodium ];
+
+  meta = with stdenv.lib; {
+    description = "A simple tool for signing files and verifying signatures";
+    longDescription = ''
+      minisign uses public key cryptography to help facilitate secure (but not
+      necessarily private) file transfer, e.g., of software artefacts. minisign
+      is similar to and compatible with OpenBSD's signify.
+    '';
+    homepage = https://jedisct1.github.io/minisign/;
+    license = licenses.isc;
+    maintainers = with maintainers; [ joachifm ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index b4a14978e386..6562fa0b8bac 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -2026,6 +2026,8 @@ let
 
   minidlna = callPackage ../tools/networking/minidlna { };
 
+  minisign = callPackage ../tools/security/minisign { };
+
   mmv = callPackage ../tools/misc/mmv { };
 
   morituri = callPackage ../applications/audio/morituri { };