Trust store generator scripts for various Gemini clients
Go to file
nervuri fd57e030f8
main.sh: comment out calls to per-client trust store gen scripts
Also, update script duration estimates in README.
2023-09-23 14:00:51 +00:00
agunua output execution duration for each script 2023-03-19 17:21:40 +00:00
amfora output execution duration for each script 2023-03-19 17:21:40 +00:00
lagrange output execution duration for each script 2023-03-19 17:21:40 +00:00
LICENSE.txt init 2021-04-28 12:20:18 +03:00
README.md main.sh: comment out calls to per-client trust store gen scripts 2023-09-23 14:00:51 +00:00
cert-details.sh output execution duration for each script 2023-03-19 17:21:40 +00:00
excluded-hosts trivial changes 2022-08-07 00:00:00 +00:00
expiry-boundaries.sh init 2021-04-28 12:20:18 +03:00
get-certs.sh make it clear that torsocks is no longer optional 2023-09-10 15:29:51 +00:00
get-hosts.sh improve hostname cleanup 2023-09-10 14:37:57 +00:00
main.sh main.sh: comment out calls to per-client trust store gen scripts 2023-09-23 14:00:51 +00:00
prune-old-certs.sh output execution duration for each script 2023-03-19 17:21:40 +00:00
test-hosts update test hosts 2023-09-10 15:31:11 +00:00

README.md

Gemini Trust Store Generators

Geminispace is (currently) small enough that we can afford to download all known capsules' TLS certificates and use them to generate trust stores for various Gemini clients. If verified via multiple network perspectives, using a pre-generated trust store is a major improvement over blindly trusting-on-first-use.

This repo contains scripts for:

  1. downloading a list of hosts from geminispace.info and Lupa
  2. downloading the TLS certificates of those hosts
  3. generating a table containing details about each certificate
  4. generating trust stores for various Gemini clients, currently:

Trust stores generated by these scripts can be found at https://tildegit.org/nervuri/trust-stores

Dependencies

OpenSSL, idn, Agunua, torsocks (torsocks is used for .onion capsules and for double-checking certificates using a different network perspective).

To install them in Debian, run: sudo apt install openssl idn torsocks and pip3 install agunua.

Usage

./main.sh will run all scripts except for client-specific trust store generators. For the trust stores repo, I use time ./main.sh >log-stdout 2>log-stderr. For 2592 hosts, the command takes around 2 hours and 25 minutes to complete with Tor verification enabled. The trust store generator scripts take about 10 minutes for each client.

get-certs.sh accepts tor as an optional argument, to double-check certificates using the Tor network. This option will automatically be used when you run ./main.sh.

All trust store generators accept certificate expiry boundaries as arguments. Ex:

./generate.sh          # all certs
./generate.sh 90+      # certs that will expire in more than 90 days from now
./generate.sh 30-      # certs that have expired more than 30 days ago
./generate.sh 30- 90+  # both of the above; in other words, certs are excluded if:
                       # {30 days ago} < cert_expiry < {90 days from now}

This is to assist client developers who wish to bundle pre-generated trust stores with their clients, but only want to include long-lived (and long-expired) certificates.

How to contribute

The project is hosted at tildegit.org. If you don't want to make an account, just shoot me an email with your patch/suggestion/bug report/whatever else.