💾 Archived View for rawtext.club › ~sloum › geminilist › 006535.gmi captured on 2023-09-08 at 16:55:43. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-11-30)

-=-=-=-=-=-=-

<-- back to the mailing list

[tech] Integrity checks for Gemini pages

ew.gemini ew.gemini at nassur.net

Wed May 19 08:40:16 BST 2021

- - - - - - - - - - - - - - - - - - - 

Hello almaember,

Almaember <almaember at disroot.org> writes:

Hello, everybody!

I know that there is no way in Gemini right now to check the integrity

of pages. However, it would be nice for this to possible.

Integrity in the sense of "the file remained unchanged intransit"? TLS should take care of that. In the sense "the fileis the one that the original author intented it to be"?

There are at least two attempts to deal with this:

If you dare to check my capsule at=

gemini://ew.srht.site/

There are two links to openbsd-signify and NetSigil.

When I publish a post, my Makefile takes care to createcorresponding sha256 checksums. They are concatenated into onefile, which is then signed using my gpg key. That's one option.

The same information is packaged differently to.well-known/signature-bundle. This file is created usingopenbds-signify.

There are a few threads on the mailing list, too ...https://lists.orbitalfox.eu/archives/gemini/2021/005550.htmlhttps://lists.orbitalfox.eu/archives/gemini/2021/005374.htmlhttps://lists.orbitalfox.eu/archives/gemini/2021/005331.html

Also see my first post about experimenting with this:=

gemini://ew.srht.site/en/2020/20201217-towards-a-proper-flightlog-4.gmi

There are two parts to this, as I see it.

1.Create the checksums/signature in some agreed upon format.Everyone editing a capsule has to do this. While a bit tedious,it still can be done manually on the shell (unix typeenvironment assumed).

2.Upon user request browsers have to check these agreed uponlocations, download the signed file, possibly download thepublic key, cache these things properly and then do theverification. I am not aware that any gemini browsers havepicked this up. But of course, I would be pleased to be provenwrong :)

snip<

Hope this helps,~ew

-- Keep it simple!-------------- next part --------------A non-text attachment was scrubbed...Name: signature.ascType: application/pgp-signatureSize: 861 bytesDesc: not availableURL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20210519/2c6a38d3/attachment.sig>