Geminispace is (currently) small enough that we can afford to download all known capsules' TLS certificates and use them to generate trust stores for various Gemini clients. If verified via multiple network perspectives, using a pre-generated trust store is a major improvement over blindly trusting-on-first-use.
1. downloading a list of hosts from [geminispace.info](gemini://geminispace.info/known-hosts) and [Lupa](gemini://gemini.bortzmeyer.org/software/lupa/lupa-capsules.txt)
Optional: [torsocks](https://packages.debian.org/buster/torsocks) (for .onion capsules and for double-checking certificates using a different network perspective) and [Agunua](https://framagit.org/bortzmeyer/agunua) (for downloading host lists more securely).
`./main.sh` will run all scripts. For the [trust stores repo](https://tildegit.org/nervuri/trust-stores), I use `time ./main.sh >log-stdout 2>log-stderr`. For 893 hosts, the command takes around 80 minutes to complete with Tor verification and 45 minutes without.
`get-certs.sh` accepts `tor` as an optional argument, to double-check certificates using the Tor network. If you have `torsocks` installed, this option will automatically be used when you run `./main.sh`.
All trust store generators accept certificate expiry boundaries as arguments. Ex:
```
./generate.sh # all certs
./generate.sh 90+ # certs that will expire in more than 90 days from now
./generate.sh 30- # certs that have expired more than 30 days ago
./generate.sh 30- 90+ # both of the above; in other words, certs are excluded if:
# {30 days ago} <cert_expiry<{90daysfromnow}
```
This is to assist client developers who wish to bundle pre-generated trust stores with their clients, but only want to include long-lived (and long-expired) certificates.
## How to contribute
The project is hosted [at tildegit.org](https://tildegit.org/nervuri/trust-store-generators). If you don't want to make an account, just [shoot me an email](https://nervuri.net/contact) with your [patch](https://git-send-email.io/)/suggestion/bug report/whatever else.