<-- back to the mailing list

[tech] Geminipg: using Gnupg to sign Gemini pages and directories

Christophe HENRY listes at sbgodin.fr

Tue Feb 23 23:10:48 GMT 2021

- - - - - - - - - - - - - - - - - - - 

Hi all!

This is a proposal to add signature capability to any page ordirectory. Indeed, this could also be applicable to an HTML service.The point is, with Gemini, that the page you get on Gemini is just likeit appears to be.

You may need to publish and be sure that like people can check thepages. People may want to be sure that the text was signed by itsalleged author.

For a file:

gpg --detach-sign --armor --output index.gmi.sig index.gmi

The file "index.gmi" is signed using the current certificate. Thesignature is a binary file.

gpg --verify index.gmi.sig index.gmi

The command checks the signature and returns the date and the key used.

For a directoy:

sha256sum directory/* | gpg --clear-sign --output directory.sig

All the file of "directory" are sha256-sumed. The results go in a file that is signed.

On the server side

One signature for one file

./chapter_1.gmi./chapter_1.sig./chapter_2.gmi./chapter_2.sig

Several signatures for one file

./page.gmi./page.gmi.sig/./page.gmi.sig/{sha256 of the signed file}-{fingerprint of the signing key #1}.sig./page.gmi.sig/{sha256 of the signed file}-{fingerprint of the signing key #2}.sig

One signature for one directory

./mybook/chapter_1.gmi./mybook/chapter_2.gmi./mybook.sig

Several signatures for one directory

./mybook/chapter_1.gmi./mybook/chapter_2.gmi./mybook.sig/ : {sha256 of the signed file list}-{fingerprint of thesigning key #1}.sig /mybook.sig/ : {sha256 of the signed filelist}-{fingerprint of the signing key #2}.sig

On the client side:

Signatures discovery for ./directory/page.gmi :

1. ./directory/page.gmi.sig # one signature2. ./directory/page.gmi.sig/ # several signatures for one page3. ./directory.sig # all the files of the directory for one signature4. ./directory.sig/ # all the files of the directory for several signatures

In such a case, the server must return a directory index or a"index.gmi" containing all the links for the signatures.

Publishing

The writer signs the files before publishing them. The server may alsogenerate the signature on the fly ; it regenerates the signature if thefile is newer than the signature.

General requirements:

Thanks in advance for all point of view and remarks!

-- Christophe HENRYFR EO EN - https://sbgodin.fr-------------- next part --------------A non-text attachment was scrubbed...Name: not availableType: application/pgp-signatureSize: 833 bytesDesc: Signature digitale OpenPGPURL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20210224/e176874f/attachment-0001.sig>