[tech] Integrity checks for Gemini pages

ew.gemini ew.gemini at nassur.net
Wed May 19 08:40:16 BST 2021

Hello almaember,

Almaember <almaember at disroot.org> writes:

> Hello, everybody!
> I know that there is no way in Gemini right now to check the integrity
> of pages. However, it would be nice for this to possible.

Integrity in the sense of "the file remained unchanged in
transit"? TLS should take care of that. In the sense "the file
is the one that the original author intented it to be"?

There are at least two attempts to deal with this:

If you dare to check my capsule at
=> gemini://ew.srht.site/

There are two links to openbsd-signify and NetSigil.

When I publish a post, my Makefile takes care to create
corresponding sha256 checksums. They are concatenated into one
file, which is then signed using my gpg key. That's one option.

The same information is packaged differently to
.well-known/signature-bundle. This file is created using

There are a few threads on the mailing list, too ...

Also see my first post about experimenting with this:
=> gemini://ew.srht.site/en/2020/20201217-towards-a-proper-flightlog-4.gmi

There are two parts to this, as I see it.

Create the checksums/signature in some agreed upon format.
Everyone editing a capsule has to do this. While a bit tedious,
it still can be done manually on the shell (unix type
environment assumed).

Upon user request browsers have to check these agreed upon
locations, download the signed file, possibly download the
public key, cache these things properly and then do the
verification. I am not aware that any gemini browsers have
picked this up. But of course, I would be pleased to be proven
wrong :)


Hope this helps,

Keep it simple!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 861 bytes
Desc: not available
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20210519/2c6a38d3/attachment.sig>

More information about the Gemini mailing list