README: explain verification
This commit is contained in:
parent
7e56013225
commit
a3bbe7bd24
16
README.md
16
README.md
|
@ -28,7 +28,21 @@ Best used within a script that synchronizes local files with the server. This i
|
|||
|
||||
### Verifying
|
||||
|
||||
Verification is not yet implemented, but can be done manually. Here is an example for the Gemini protocol (using [agunua](https://framagit.org/bortzmeyer/agunua) to download files):
|
||||
Verification is not yet implemented, but here is an approximation of how it will work:
|
||||
|
||||
0. User runs `netsigil --verify scheme://example.org:port/~user/file`.
|
||||
1. Download `scheme://example.org:port/~user/file`.
|
||||
2. If we already have a `SHA256SUMS` file for `scheme://example.org:port/~user`, then go to 7.
|
||||
3. Download `scheme://example.org:port/~user/.well-known/signature-bundle`.
|
||||
4. If not already present, extract `key.pub` from `signature-bundle` and store it locally (Trust on first use).
|
||||
5. Use `key.pub` to verify `signature-bundle`.
|
||||
6. Extract `SHA256SUMS` from `signature-bundle` and store it locally.
|
||||
7. Check if the hash of `file` matches the one in `SHA256SUMS`. If it does, stop here. Perhaps output the requested file to stdout.
|
||||
8. On hash mismatch: if step 2 was true, then go to step 3; else, stop.
|
||||
|
||||
Note that in this example, `.well-known` is under `~user`, not directly under `example.org`. This is to account for multi-user systems (pubnixes/tilde communities).
|
||||
|
||||
Verification can also be done manually. Here is an example for the Gemini protocol (using [agunua](https://framagit.org/bortzmeyer/agunua) to download files):
|
||||
|
||||
```
|
||||
# Download `signature-bundle`
|
||||
|
|
Loading…
Reference in New Issue