Pre-generated trust stores for various Gemini clients
Go to file
nervuri ad5252549f
run 155
2023-11-26 16:02:56 +00:00
agunua remove client-specific trust stores 2023-09-23 10:43:10 +00:00
amfora remove client-specific trust stores 2023-09-23 10:43:10 +00:00
certs run 155 2023-11-26 16:02:56 +00:00
lagrange remove client-specific trust stores 2023-09-23 10:43:10 +00:00
.gitignore run 21 2021-07-04 15:37:19 +03:00
LICENSE.txt init 2021-04-28 12:20:10 +03:00 remove client-specific trust stores 2023-09-23 10:43:10 +00:00
cert-details.csv run 155 2023-11-26 16:02:56 +00:00 run 155 2023-11-26 16:02:56 +00:00
hosts run 155 2023-11-26 16:02:56 +00:00
log-stderr run 155 2023-11-26 16:02:56 +00:00
log-stdout run 155 2023-11-26 16:02:56 +00:00

Gemini Trust Stores

Geminispace is (currently) small enough that we can afford to download all known capsules' TLS certificates and use them to generate trust stores for various Gemini clients. If verified via multiple network perspectives, using a pre-generated trust store is a major improvement over blindly trusting-on-first-use.

This repo contains:

  1. All TLS certificates of capsules listed on and Lupa, updated about once per week. This gives us a history of certificates in Geminispace, starting in 2021-04-27.
  2. A table containing details about each certificate (markdown and CSV).
  3. Scripts to generate trust stores for various Gemini clients, currently:

You can find instructions on how to use them in their respective directories.

All trust store generators accept certificate expiry boundaries as arguments. Examples:

./          # all certs
./ 90+      # certs that will expire in more than 90 days from now
./ 30-      # certs that have expired more than 30 days ago
./ 30- 90+  # both of the above; in other words, certs are excluded if:
                       # {30 days ago} < cert_expiry < {90 days from now}

This is to assist client developers who wish to bundle pre-generated trust stores with their clients, but only want to include long-lived (and long-expired) certificates.

All scripts used in this project are available in the Trust Store Generators repository. The Tor option is used when running, so most certificates herein are attested to from at least two network perspectives.

All commits are signed with this GPG key (B769BD004A417E3A5A902DD1C4769EEA7BA61672).

You don't need to trust that I am publishing the correct certificates. The scripts should be easy to understand; I encourage you to run them yourselves and generate these files from your own network perspectives. If the results don't coincide with what I've published, please let me know.

How to contribute

The project is hosted at If you don't want to make an account, just shoot me an email with your patch/suggestion/bug report/whatever else.