NetSigil/README.md

# NetSigil

NetSigil signs directories and verifies directory signatures.  It allows anyone to check if files on a server have been tampered with (by the hosting provider, attackers, etc).  Use it to:

* Sign an entire [Website]/[Gemini capsule]/[Gopher hole]
* Verify any file on a signed [Website]/[Gemini capsule]/[Gopher hole] - **not yet implemented**

Usage:

```
netsigil --sign <dir>    # Sign a local copy of your site
netsigil --verify <URL>  # Verify remote signature
```

Uses [signify](https://www.openbsd.org/papers/bsdcan-signify.html).  GPG support might be added later.

## How it works

### Signing

1. Walks you through installing `signify` and generating a keypair.
2. Generates a `SHA256SUMS` file containing hashes of all files in the specified directory (including subdirectories).
3. Puts `key.pub` and `SHA256SUMS` into a tar.gz archive.
4. Signs the archive, embedding the signature in the gzip header.
5. Saves the signed archive within the directory, as `.well-known/signature-bundle`.

Best used within a script that synchronizes local files with the server.  This is [how I use it](https://gitlab.com/nervuri/nervuri.net/-/blob/master/sync.sh#L10).

### Verifying

Verification is not yet implemented, but can be done manually.  Here is an example for the Gemini protocol (using [agunua](https://framagit.org/bortzmeyer/agunua) to download files):

```
# Download `signature-bundle`
agunua --insecure --binary gemini://rawtext.club/~nervuri/.well-known/signature-bundle > signature-bundle
# Extract the public key
tar -xf signature-bundle key.pub
# Verify `signature-bundle`
signify -Vz -p key.pub -x signature-bundle >/dev/null && echo 'Signature OK'
# Extract `SHA256SUMS`
tar -xf signature-bundle SHA256SUMS
# Download two files from the capsule, mirroring the directory structure
agunua --insecure --binary gemini://rawtext.club/~nervuri/contact.gmi > contact.gmi
mkdir keys && agunua --insecure --binary gemini://rawtext.club/~nervuri/keys/index.gmi > keys/index.gmi
# Verify them both
sha256sum -c --ignore-missing SHA256SUMS
```

## Contributing

If you don't want to [make an account here](https://tildegit.org/user/sign_up), just shoot me an email: https://nervuri.net/contact

---

The idea for this program spawned [on the Gemini mailing list](https://lists.orbitalfox.eu/archives/gemini/2021/005585.html).  Special thanks to [Christophe Henry](https://gmi.sbgodin.fr/) and [Francesco Camuffo](https://fmac.xyz/).
Initial commit 2021-03-19 19:04:11 +00:00			`# NetSigil`

README: clearer explanation 2021-03-21 18:54:06 +00:00			`NetSigil signs directories and verifies directory signatures. It allows anyone to check if files on a server have been tampered with (by the hosting provider, attackers, etc). Use it to:`
better README 2021-03-21 17:19:23 +00:00
update README 2021-03-19 19:19:12 +00:00			`* Sign an entire [Website]/[Gemini capsule]/[Gopher hole]`
better README 2021-03-21 17:19:23 +00:00			`* Verify any file on a signed [Website]/[Gemini capsule]/[Gopher hole] - not yet implemented`

			`Usage:`

			```
			`netsigil --sign <dir> # Sign a local copy of your site`
			`netsigil --verify <URL> # Verify remote signature`
			```
update README 2021-03-19 19:19:12 +00:00
			`Uses [signify](https://www.openbsd.org/papers/bsdcan-signify.html). GPG support might be added later.`

better README 2021-03-21 17:19:23 +00:00			`## How it works`

			`### Signing`

			1. Walks you through installing `signify` and generating a keypair.
README: add Contributing 2021-03-21 21:21:02 +00:00			2. Generates a `SHA256SUMS` file containing hashes of all files in the specified directory (including subdirectories).
README: clearer explanation 2021-03-21 18:54:06 +00:00			3. Puts `key.pub` and `SHA256SUMS` into a tar.gz archive.
			`4. Signs the archive, embedding the signature in the gzip header.`
			5. Saves the signed archive within the directory, as `.well-known/signature-bundle`.

			`Best used within a script that synchronizes local files with the server. This is [how I use it](https://gitlab.com/nervuri/nervuri.net/-/blob/master/sync.sh#L10).`
better README 2021-03-21 17:19:23 +00:00
			`### Verifying`

			`Verification is not yet implemented, but can be done manually. Here is an example for the Gemini protocol (using [agunua](https://framagit.org/bortzmeyer/agunua) to download files):`
update README 2021-03-19 19:19:12 +00:00
			```
better README 2021-03-21 17:19:23 +00:00			# Download `signature-bundle`
			`agunua --insecure --binary gemini://rawtext.club/~nervuri/.well-known/signature-bundle > signature-bundle`
			`# Extract the public key`
			`tar -xf signature-bundle key.pub`
			# Verify `signature-bundle`
			`signify -Vz -p key.pub -x signature-bundle >/dev/null && echo 'Signature OK'`
			# Extract `SHA256SUMS`
			`tar -xf signature-bundle SHA256SUMS`
			`# Download two files from the capsule, mirroring the directory structure`
			`agunua --insecure --binary gemini://rawtext.club/~nervuri/contact.gmi > contact.gmi`
			`mkdir keys && agunua --insecure --binary gemini://rawtext.club/~nervuri/keys/index.gmi > keys/index.gmi`
			`# Verify them both`
			`sha256sum -c --ignore-missing SHA256SUMS`
update README 2021-03-19 19:19:12 +00:00			```
README: clearer explanation 2021-03-21 18:54:06 +00:00
README: add Contributing 2021-03-21 21:21:02 +00:00			`## Contributing`

			`If you don't want to [make an account here](https://tildegit.org/user/sign_up), just shoot me an email: https://nervuri.net/contact`

better README 2021-03-21 17:19:23 +00:00			`---`

			`The idea for this program spawned [on the Gemini mailing list](https://lists.orbitalfox.eu/archives/gemini/2021/005585.html). Special thanks to [Christophe Henry](https://gmi.sbgodin.fr/) and [Francesco Camuffo](https://fmac.xyz/).`