NetSigil signs directories and verifies directory signatures. It allows anyone to check if files on a server have been tampered with (by the hosting provider, attackers, etc). Use it to:
2. Generates a `SHA256SUMS` file containing hashes of all files in the specified directory.
3. Puts `key.pub` and `SHA256SUMS` into a tar.gz archive.
4. Signs the archive, embedding the signature in the gzip header.
5. Saves the signed archive within the directory, as `.well-known/signature-bundle`.
Best used within a script that synchronizes local files with the server. This is [how I use it](https://gitlab.com/nervuri/nervuri.net/-/blob/master/sync.sh#L10).
Verification is not yet implemented, but can be done manually. Here is an example for the Gemini protocol (using [agunua](https://framagit.org/bortzmeyer/agunua) to download files):
The idea for this program spawned [on the Gemini mailing list](https://lists.orbitalfox.eu/archives/gemini/2021/005585.html). Special thanks to [Christophe Henry](https://gmi.sbgodin.fr/) and [Francesco Camuffo](https://fmac.xyz/).