nervuri
/
NetSigil
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

README: clearer explanation

This commit is contained in:
nervuri 2021-03-21 18:54:06 +00:00
parent c212abe0af
commit 546b1bd1cb
1 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
README.md
View File

@ -1,6 +1,6 @@
# NetSigil
NetSigil signs directories and verifies directory signatures. This allows you and others to detect tampering by whoever might have access to wherever you upload them (hosting provider, attackers, etc). Use it to:
NetSigil signs directories and verifies directory signatures. It allows anyone to check if files on a server have been tampered with (by the hosting provider, attackers, etc). Use it to:
* Sign an entire [Website]/[Gemini capsule]/[Gopher hole]
* Verify any file on a signed [Website]/[Gemini capsule]/[Gopher hole] - **not yet implemented**
@ -14,17 +14,17 @@ netsigil --verify <URL> # Verify remote signature
Uses [signify](https://www.openbsd.org/papers/bsdcan-signify.html). GPG support might be added later.
Generates `.well-known/signature-bundle`, a signed tar.gz file.
Best used within a script that synchronizes local files with the server. This is [how I use it](https://gitlab.com/nervuri/nervuri.net/-/blob/master/sync.sh#L10).
## How it works
### Signing
1. Walks you through installing `signify` and generating a keypair.
2. Generates a SHA256SUMS file containing hashes of all files in a directory, including subdirectories.
3. Puts the public key and the SHA256SUMS file into an archive which it then signs using signify's `-z` option, which embeds the signature in the gzip header.
2. Generates a `SHA256SUMS` file containing hashes of all files in the specified directory.
3. Puts `key.pub` and `SHA256SUMS` into a tar.gz archive.
4. Signs the archive, embedding the signature in the gzip header.
5. Saves the signed archive within the directory, as `.well-known/signature-bundle`.
Best used within a script that synchronizes local files with the server. This is [how I use it](https://gitlab.com/nervuri/nervuri.net/-/blob/master/sync.sh#L10).
### Verifying
@ -45,6 +45,7 @@ mkdir keys && agunua --insecure --binary gemini://rawtext.club/~nervuri/keys/ind
# Verify them both
sha256sum -c --ignore-missing SHA256SUMS
```
---
The idea for this program spawned [on the Gemini mailing list](https://lists.orbitalfox.eu/archives/gemini/2021/005585.html). Special thanks to [Christophe Henry](https://gmi.sbgodin.fr/) and [Francesco Camuffo](https://fmac.xyz/).