-- Leo's gemini proxy

-- Connecting to ew.srht.site:1965...

-- Connected

-- Sending request

-- Meta line: 20 text/gemini

2020-12-17

Towards a proper FlightLog 4 -- Experiment with gpg-Signatures

tags: flightlog gnupg


I wrote:


> More things to contemplate:

> * Add a public key and a signed checksums file to indirectly sign the content.


Clearsigning a .gmi file


While this is definitely not needed for gemini space to operate, would it be possible to somehow /sign/ gemini files and thus document authorship? Would that be useful or worthwhile?


small test input file


Clear signing with gpg and serving that file directly?


  gpg --clear-sign test.gmi
  mv test.gmi.asc test-signed.gmi

small test input file, signed


The resulting file index.gmi.asc can be served, however it does look odd. Moreover clearsigning adds 19 lines and 882 Byte to this particular file. My posts so far average a little below 1500 byte. So adding more than half of that to each post seems wasteful. /Minimal Art/ looks different.


Clearsigning a generated checksums file?


Now I could try this differently: How about creating a checksums file and signing that?


  ( cd posts && ../bin/gem-checksum.sh \
             && gpg --clear-sign --default-key 8EFF13A1E073FAAE ew.flightlog.sha512sums \
             && cp ew.flightlog.sha512sums.asc ew.flightlog.sha512sums-signed.gmi )

/file/20201217-ew.flightlog.sha512sums-signed.gmi


The larger the checksums file, the less the additional size of the signature relatively speaking.


What else would I need to supply?


The fingerprint of this key-pair

17F4 E142 922D 14E1 05C1 FE60 C678 A449 4471 20FA


The public portion of this key-pair

/en/ew.gemini.asc


Somehow make the .asc files wrapped as .gmi or otherwise made more visible?


So, imho, yes, this can be done.

However: Is it useful?


Home

-- Response ended

-- Page fetched on Wed Oct 20 19:36:21 2021