LICENSE | ||
netsigil | ||
README.md |
NetSigil
NetSigil signs directories and verifies directory signatures. It allows anyone to check if files on a server have been tampered with (by the hosting provider, attackers, etc). Use it to:
- Sign an entire [Website]/[Gemini capsule]/[Gopher hole]
- Verify any file on a signed [Website]/[Gemini capsule]/[Gopher hole] - not yet implemented
Usage:
netsigil --sign <dir> # Sign a local copy of your site
netsigil --verify <URL> # Verify remote signature
Uses signify. GPG support might be added later.
How it works
Signing
- Walks you through installing
signify
, if not already installed (apt only, for now). - Walks you through generating a keypair; stores keys in
$XDG_DATA_HOME/signify/
(or~/.local/share/signify/
). - Generates a
SHA256SUMS
file containing hashes of all files in the specified directory (including subdirectories). - Puts
key.pub
andSHA256SUMS
into a tar.gz archive. - Signs the archive, embedding the signature in the gzip header.
- Saves the signed archive within the directory, as
.well-known/signature-bundle
.
Best used within a script that synchronizes local files with the server. This is how I use it.
Verifying
Verification is not yet implemented, but here is an approximation of how it will work:
- User runs
netsigil --verify scheme://example.org:port/~user/file
. - Download
scheme://example.org:port/~user/file
. - If we already have a
SHA256SUMS
file forscheme://example.org:port/~user
, then go to 7. - Download
scheme://example.org:port/~user/.well-known/signature-bundle
. - If not already present, extract
key.pub
fromsignature-bundle
and store it locally (Trust on first use). - Use
key.pub
to verifysignature-bundle
. - Extract
SHA256SUMS
fromsignature-bundle
and store it locally. - Check if the hash of
file
matches the one inSHA256SUMS
. If it does, stop here. Perhaps output the requested file to stdout. - On hash mismatch: if step 2 was true, then go to step 3; else, stop.
Note that in this example, .well-known
is under ~user
, not directly under example.org
. This is to account for multi-user systems (pubnixes/tilde communities).
Verification can also be done manually. Here is an example for the Gemini protocol (using agunua to download files):
# Download `signature-bundle`
agunua --insecure --binary gemini://rawtext.club/~nervuri/.well-known/signature-bundle > signature-bundle
# Extract the public key
tar -xf signature-bundle key.pub
# Verify `signature-bundle`
signify -Vz -p key.pub -x signature-bundle >/dev/null && echo 'Signature OK'
# Extract `SHA256SUMS`
tar -xf signature-bundle SHA256SUMS
# Download two files from the capsule, mirroring the directory structure
agunua --insecure --binary gemini://rawtext.club/~nervuri/contact.gmi > contact.gmi
mkdir keys && agunua --insecure --binary gemini://rawtext.club/~nervuri/keys/index.gmi > keys/index.gmi
# Verify them both
sha256sum -c --ignore-missing SHA256SUMS
Contributing
If you don't want to make an account here, just shoot me an email: https://nervuri.net/contact
The idea for this program spawned on the Gemini mailing list. Special thanks to Christophe Henry and Francesco Camuffo.