[tech] Signing Gemini capsules

[nervuri]

On Wed, 2021-04-07, ew.gemini wrote:
>I spent some time today to retrace what you have outlined. I was
>able to create signature-bundle and extract the information from
>it again.

Nice!  Let me know if you had any trouble understanding the code and/or
explanation.  I want it to be clear.

>=> gemini://gemini.circumlunar.space/~ew/2020/20201217-towards-a-proper-flightlog-4.gmi

You ask at the end:

>However: Is it useful?

I think it's always good to be able to check that files on the server
have not been tampered with.  Signing is a best practice which I'd love
to see widespred.

>So what is the reason you choose signify-openbsd?

- it produces small (ed25519) keys and signatures;
- the software is *way* less complex than GPG and closer to the Unix
  philosophy.  "Complexity is the worst enemy of security", the saying
  goes.

Also see the text that Alexis linked to.

I may add GPG support as well, because it's more popular and can also
produce archives with embedded signatures.  The downer is that gpgtar
archives are not standard, `tar -xf` doesn't work on them.

>Is there a way to link such a signify pair of keys to my gpg
>key?

Yes, you can cross-sign them.  This is what I did: the GPG signature of
my signify key is published alongside both keys:

gemini://rawtext.club/~nervuri/keys/

And the entire capsule (GPG key included) is signed with my signify key.

>I especially like the fact that NetSigil is a modest shell script!

I'd like to thank shellcheck for keeping me out of trouble:
https://www.shellcheck.net/