2020-12-17

Towards a proper FlightLog 4 -- Experiment with gpg-Signatures

#flightlog

I wrote:

More things to contemplate:

* Add a public key and a signed checksums file to indirectly sign the content.

Clearsigning a .gmi file

While this is definitely not needed for gemini space to operate, would it be possible to somehow /sign/ gemini files and thus document authorship? Would that be useful or worthwhile?

small test input file

Clear signing with gpg and serving that file directly?

  gpg --clear-sign test.gmi
  mv test.gmi.asc test-signed.gmi

small test input file, signed

The resulting file index.gmi.asc can be served, however it does look odd. Moreover clearsigning adds 19 lines and 882 Byte to this particular file. My posts so far average a little below 1500 byte. So adding more than half of that to each post seems wasteful. /Minimal Art/ looks different.

Clearsigning a generated checksums file?

Now I could try this differently: How about creating a checksums file and signing that?

  ( cd posts && ../bin/gem-checksum.sh \
             && gpg --clear-sign --default-key 8EFF13A1E073FAAE ew.flightlog.sha512sums \
             && cp ew.flightlog.sha512sums.asc ew.flightlog.sha512sums-signed.gmi )

/file/20201217-ew.flightlog.sha512sums-signed.gmi

The larger the checksums file, the less the additional size of the signature relatively speaking.

What else would I need to supply?

• The fingerprint of this key-pair

17F4 E142 922D 14E1 05C1 FE60 C678 A449 4471 20FA

• The public portion of this key-pair

/en/ew.gemini.asc

• Somehow make the .asc files wrapped as .gmi or otherwise made more visible?

So, imho, yes, this can be done.

However: Is it useful?

Home