[tech] Geminipg: using Gnupg to sign Gemini pages and directories

Christophe HENRY listes at sbgodin.fr
Tue Feb 23 23:10:48 GMT 2021

Hi all!

This is a proposal to add signature capability to any page or
directory. Indeed, this could also be applicable to an HTML service.
The point is, with Gemini, that the page you get on Gemini is just like
it appears to be.

You may need to publish and be sure that like people can check the
pages. People may want to be sure that the text was signed by its
alleged author.

## For a file:

gpg --detach-sign --armor --output index.gmi.sig index.gmi

The file "index.gmi" is signed using the current certificate. The
signature is a binary file.

gpg --verify index.gmi.sig index.gmi

The command checks the signature and returns the date and the key used.

## For a directoy:

sha256sum directory/* | gpg --clear-sign --output directory.sig

All the file of "directory" are sha256-sumed. The results go in a file that is signed.

# On the server side

## One signature for one file


## Several signatures for one file

./page.gmi.sig/{sha256 of the signed file}-{fingerprint of the signing key #1}.sig
./page.gmi.sig/{sha256 of the signed file}-{fingerprint of the signing key #2}.sig

## One signature for one directory


## Several signatures for one directory

./mybook.sig/ : {sha256 of the signed file list}-{fingerprint of the
signing key #1}.sig /mybook.sig/ : {sha256 of the signed file
list}-{fingerprint of the signing key #2}.sig

# On the client side:

Signatures discovery for ./directory/page.gmi :

1. ./directory/page.gmi.sig # one signature
2. ./directory/page.gmi.sig/ # several signatures for one page
3. ./directory.sig # all the files of the directory for one signature
4. ./directory.sig/ # all the files of the directory for several signatures

In such a case, the server must return a directory index or a
"index.gmi" containing all the links for the signatures.

# Publishing

The writer signs the files before publishing them. The server may also
generate the signature on the fly ; it regenerates the signature if the
file is newer than the signature.

# General requirements:

* It's optional and must work with a non-aware browser and server.
* The whole page content is signed.
* The filename and the URI of the page mustn't be part of the signature.
* It must always be possible to check by hand, just downloading the
  page, the signatures and verify each signature.

Thanks in advance for all point of view and remarks!

Christophe HENRY
FR EO EN - https://sbgodin.fr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: Signature digitale OpenPGP
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20210224/e176874f/attachment-0001.sig>

More information about the Gemini mailing list