Pre-generated trust stores for various Gemini clients

Go to file

nervuri cdf49851d8 remove client-specific trust stores Running `generate-trust-stores.sh` for a client currently takes about 10 minutes on my machine. Since this is a very niche thing that probably nobody makes use of, spending the extra 30 minutes on every run seems pointless. It makes more sense for this repo to only contain the certificates that the trust stores are based upon. So if you want to use a client-specific trust store, simply clone the repo and run the generator script for either Agunua, Amfora or Lagrange.		2023-09-23 10:43:10 +00:00
agunua	remove client-specific trust stores	2023-09-23 10:43:10 +00:00
amfora	remove client-specific trust stores	2023-09-23 10:43:10 +00:00
certs	run 147	2023-09-17 18:17:11 +00:00
lagrange	remove client-specific trust stores	2023-09-23 10:43:10 +00:00
.gitignore	run 21	2021-07-04 15:37:19 +03:00
LICENSE.txt	init	2021-04-28 12:20:10 +03:00
README.md	remove client-specific trust stores	2023-09-23 10:43:10 +00:00
cert-details.csv	run 147	2023-09-17 18:17:11 +00:00
cert-details.md	run 147	2023-09-17 18:17:11 +00:00
hosts	run 147	2023-09-17 18:17:11 +00:00
log-stderr	run 147	2023-09-17 18:17:11 +00:00
log-stdout	run 147	2023-09-17 18:17:11 +00:00

README.md

Gemini Trust Stores

Geminispace is (currently) small enough that we can afford to download all known capsules' TLS certificates and use them to generate trust stores for various Gemini clients. If verified via multiple network perspectives, using a pre-generated trust store is a major improvement over blindly trusting-on-first-use.

This repo contains:

All TLS certificates of capsules listed on geminispace.info and Lupa, updated about once per week. This gives us a history of certificates in Geminispace, starting in 2021-04-27.
A table containing details about each certificate (markdown and CSV).
Scripts to generate trust stores for various Gemini clients, currently:

You can find instructions on how to use them in their respective directories.

All trust store generators accept certificate expiry boundaries as arguments. Examples:

./generate.sh          # all certs
./generate.sh 90+      # certs that will expire in more than 90 days from now
./generate.sh 30-      # certs that have expired more than 30 days ago
./generate.sh 30- 90+  # both of the above; in other words, certs are excluded if:
                       # {30 days ago} < cert_expiry < {90 days from now}

This is to assist client developers who wish to bundle pre-generated trust stores with their clients, but only want to include long-lived (and long-expired) certificates.

All scripts used in this project are available in the Trust Store Generators repository. The Tor option is used when running get-certs.sh, so most certificates herein are attested to from at least two network perspectives.

All commits are signed with this GPG key (B769BD004A417E3A5A902DD1C4769EEA7BA61672).

You don't need to trust that I am publishing the correct certificates. The scripts should be easy to understand; I encourage you to run them yourselves and generate these files from your own network perspectives. If the results don't coincide with what I've published, please let me know.

How to contribute

The project is hosted at tildegit.org. If you don't want to make an account, just shoot me an email with your patch/suggestion/bug report/whatever else.