NetSigil signs directories and verifies directory signatures. It allows anyone to check if files on a server have been tampered with (by the hosting provider, attackers, etc). Use it to:
3. Puts `key.pub` and `SHA256SUMS` into a tar.gz archive.
4. Signs the archive, embedding the signature in the gzip header.
5. Saves the signed archive within the directory, as `.well-known/signature-bundle`.
Best used within a script that synchronizes local files with the server. This is [how I use it](https://gitlab.com/nervuri/nervuri.net/-/blob/master/sync.sh#L10).
4. If not already present, extract `key.pub` from `signature-bundle` and store it locally (Trust on first use).
5. Use `key.pub` to verify `signature-bundle`.
6. Extract `SHA256SUMS` from `signature-bundle` and store it locally.
7. Check if the hash of `file` matches the one in `SHA256SUMS`. If it does, stop here. Perhaps output the requested file to stdout.
8. On hash mismatch: if step 2 was true, then go to step 3; else, stop.
Note that in this example, `.well-known` is under `~user`, not directly under `example.org`. This is to account for multi-user systems (pubnixes/tilde communities).
Verification can also be done manually. Here is an example for the Gemini protocol (using [agunua](https://framagit.org/bortzmeyer/agunua) to download files):
The idea for this program spawned [on the Gemini mailing list](https://lists.orbitalfox.eu/archives/gemini/2021/005585.html). Special thanks to [Christophe Henry](https://gmi.sbgodin.fr/) and [Francesco Camuffo](https://fmac.xyz/).