nervuri
/
trust-stores
1
2
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Pre-generated trust stores for various Gemini clients
180 Commits 1 Branch 0 Tags 13 MiB
Shell 100%
Go to file
nervuri 8eb1ae6bfb
run 172 		2024-04-15 17:56:18 +00:00
agunua remove client-specific trust stores 2023-09-23 10:43:10 +00:00
amfora remove client-specific trust stores 2023-09-23 10:43:10 +00:00
certs run 172 2024-04-15 17:56:18 +00:00
lagrange remove client-specific trust stores 2023-09-23 10:43:10 +00:00
.gitignore run 21 2021-07-04 15:37:19 +03:00
LICENSE.txt init 2021-04-28 12:20:10 +03:00
README.md remove client-specific trust stores 2023-09-23 10:43:10 +00:00
cert-details.csv run 172 2024-04-15 17:56:18 +00:00
cert-details.md run 172 2024-04-15 17:56:18 +00:00
hosts run 172 2024-04-15 17:56:18 +00:00
log-stderr run 172 2024-04-15 17:56:18 +00:00
log-stdout run 172 2024-04-15 17:56:18 +00:00

README.md

Gemini Trust Stores

Geminispace is (currently) small enough that we can afford to download all known capsules' TLS certificates and use them to generate trust stores for various Gemini clients. If verified via multiple network perspectives, using a pre-generated trust store is a major improvement over blindly trusting-on-first-use.

This repo contains:

  1. All TLS certificates of capsules listed on geminispace.info and Lupa, updated about once per week. This gives us a history of certificates in Geminispace, starting in 2021-04-27.
  2. A table containing details about each certificate (markdown and CSV).
  3. Scripts to generate trust stores for various Gemini clients, currently:

You can find instructions on how to use them in their respective directories.

All trust store generators accept certificate expiry boundaries as arguments. Examples:

./generate.sh          # all certs
./generate.sh 90+      # certs that will expire in more than 90 days from now
./generate.sh 30-      # certs that have expired more than 30 days ago
./generate.sh 30- 90+  # both of the above; in other words, certs are excluded if:
                       # {30 days ago} < cert_expiry < {90 days from now}

This is to assist client developers who wish to bundle pre-generated trust stores with their clients, but only want to include long-lived (and long-expired) certificates.

All scripts used in this project are available in the Trust Store Generators repository. The Tor option is used when running get-certs.sh, so most certificates herein are attested to from at least two network perspectives.

All commits are signed with this GPG key (B769BD004A417E3A5A902DD1C4769EEA7BA61672).

You don't need to trust that I am publishing the correct certificates. The scripts should be easy to understand; I encourage you to run them yourselves and generate these files from your own network perspectives. If the results don't coincide with what I've published, please let me know.

How to contribute

The project is hosted at tildegit.org. If you don't want to make an account, just shoot me an email with your patch/suggestion/bug report/whatever else.