nervuri
/
NetSigil
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
NetSigil/README.md

2.4 KiB
Raw Blame History

NetSigil

NetSigil signs directories and verifies directory signatures. It allows anyone to check if files on a server have been tampered with (by the hosting provider, attackers, etc). Use it to:

  • Sign an entire [Website]/[Gemini capsule]/[Gopher hole]
  • Verify any file on a signed [Website]/[Gemini capsule]/[Gopher hole] - not yet implemented

Usage:

netsigil --sign <dir>    # Sign a local copy of your site
netsigil --verify <URL>  # Verify remote signature

Uses signify. GPG support might be added later.

How it works

Signing

  1. Walks you through installing signify and generating a keypair.
  2. Generates a SHA256SUMS file containing hashes of all files in the specified directory (including subdirectories).
  3. Puts key.pub and SHA256SUMS into a tar.gz archive.
  4. Signs the archive, embedding the signature in the gzip header.
  5. Saves the signed archive within the directory, as .well-known/signature-bundle.

Best used within a script that synchronizes local files with the server. This is how I use it.

Verifying

Verification is not yet implemented, but can be done manually. Here is an example for the Gemini protocol (using agunua to download files):

# Download `signature-bundle`
agunua --insecure --binary gemini://rawtext.club/~nervuri/.well-known/signature-bundle > signature-bundle
# Extract the public key
tar -xf signature-bundle key.pub
# Verify `signature-bundle`
signify -Vz -p key.pub -x signature-bundle >/dev/null && echo 'Signature OK'
# Extract `SHA256SUMS`
tar -xf signature-bundle SHA256SUMS
# Download two files from the capsule, mirroring the directory structure
agunua --insecure --binary gemini://rawtext.club/~nervuri/contact.gmi > contact.gmi
mkdir keys && agunua --insecure --binary gemini://rawtext.club/~nervuri/keys/index.gmi > keys/index.gmi
# Verify them both
sha256sum -c --ignore-missing SHA256SUMS

Contributing

If you don't want to make an account here, just shoot me an email: https://nervuri.net/contact

The idea for this program spawned on the Gemini mailing list. Special thanks to Christophe Henry and Francesco Camuffo.