[tech] Signing Gemini capsules
nervuri at disroot.org
Thu Apr 8 16:37:16 BST 2021
On Wed, 2021-04-07, ew.gemini wrote:
>I spent some time today to retrace what you have outlined. I was
>able to create signature-bundle and extract the information from
Nice! Let me know if you had any trouble understanding the code and/or
explanation. I want it to be clear.
You ask at the end:
>However: Is it useful?
I think it's always good to be able to check that files on the server
have not been tampered with. Signing is a best practice which I'd love
to see widespred.
>So what is the reason you choose signify-openbsd?
- it produces small (ed25519) keys and signatures;
- the software is *way* less complex than GPG and closer to the Unix
philosophy. "Complexity is the worst enemy of security", the saying
Also see the text that Alexis linked to.
I may add GPG support as well, because it's more popular and can also
produce archives with embedded signatures. The downer is that gpgtar
archives are not standard, `tar -xf` doesn't work on them.
>Is there a way to link such a signify pair of keys to my gpg
Yes, you can cross-sign them. This is what I did: the GPG signature of
my signify key is published alongside both keys:
And the entire capsule (GPG key included) is signed with my signify key.
>I especially like the fact that NetSigil is a modest shell script!
I'd like to thank shellcheck for keeping me out of trouble:
More information about the Gemini