nervuri
/
NetSigil
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

README: explain verification

This commit is contained in:
nervuri 2021-03-22 11:01:17 +00:00
parent 7e56013225
commit a3bbe7bd24
1 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
README.md
View File

@ -28,7 +28,21 @@ Best used within a script that synchronizes local files with the server. This i
### Verifying
Verification is not yet implemented, but can be done manually. Here is an example for the Gemini protocol (using [agunua](https://framagit.org/bortzmeyer/agunua) to download files):
Verification is not yet implemented, but here is an approximation of how it will work:
0. User runs `netsigil --verify scheme://example.org:port/~user/file`.
1. Download `scheme://example.org:port/~user/file`.
2. If we already have a `SHA256SUMS` file for `scheme://example.org:port/~user`, then go to 7.
3. Download `scheme://example.org:port/~user/.well-known/signature-bundle`.
4. If not already present, extract `key.pub` from `signature-bundle` and store it locally (Trust on first use).
5. Use `key.pub` to verify `signature-bundle`.
6. Extract `SHA256SUMS` from `signature-bundle` and store it locally.
7. Check if the hash of `file` matches the one in `SHA256SUMS`. If it does, stop here. Perhaps output the requested file to stdout.
8. On hash mismatch: if step 2 was true, then go to step 3; else, stop.
Note that in this example, `.well-known` is under `~user`, not directly under `example.org`. This is to account for multi-user systems (pubnixes/tilde communities).
Verification can also be done manually. Here is an example for the Gemini protocol (using [agunua](https://framagit.org/bortzmeyer/agunua) to download files):
```
# Download `signature-bundle`