2.3 KiB
2.3 KiB
NetSigil
NetSigil signs directories and verifies directory signatures. This allows you and others to detect tampering by whoever might have access to wherever you upload them (hosting provider, attackers, etc). Use it to:
- Sign an entire [Website]/[Gemini capsule]/[Gopher hole]
- Verify any file on a signed [Website]/[Gemini capsule]/[Gopher hole] - not yet implemented
Usage:
netsigil --sign <dir> # Sign a local copy of your site
netsigil --verify <URL> # Verify remote signature
Uses signify. GPG support might be added later.
Generates .well-known/signature-bundle
, a signed tar.gz file.
Best used within a script that synchronizes local files with the server. This is how I use it.
How it works
Signing
- Walks you through installing
signify
and generating a keypair. - Generates a SHA256SUMS file containing hashes of all files in a directory, including subdirectories.
- Puts the public key and the SHA256SUMS file into an archive which it then signs using signify's
-z
option, which embeds the signature in the gzip header.
Verifying
Verification is not yet implemented, but can be done manually. Here is an example for the Gemini protocol (using agunua to download files):
# Download `signature-bundle`
agunua --insecure --binary gemini://rawtext.club/~nervuri/.well-known/signature-bundle > signature-bundle
# Extract the public key
tar -xf signature-bundle key.pub
# Verify `signature-bundle`
signify -Vz -p key.pub -x signature-bundle >/dev/null && echo 'Signature OK'
# Extract `SHA256SUMS`
tar -xf signature-bundle SHA256SUMS
# Download two files from the capsule, mirroring the directory structure
agunua --insecure --binary gemini://rawtext.club/~nervuri/contact.gmi > contact.gmi
mkdir keys && agunua --insecure --binary gemini://rawtext.club/~nervuri/keys/index.gmi > keys/index.gmi
# Verify them both
sha256sum -c --ignore-missing SHA256SUMS
The idea for this program spawned on the Gemini mailing list. Special thanks to Christophe Henry and Francesco Camuffo.