1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
# <cravodeabril.pt>
# Signing and verifying blog posts (incomplete)
Posts don't have to be signed.
Assuming you have the repo cloned.
1. Write a blog post in [`./src/content/blog/`][blog dir] using the
[`TEMPLATE`][blog template] in that directory by duplicating it and renaming
it to what will be displayed on the URL (I'd like to keep the format of the
slug only ASCII, lowercase letters, numbers and hyphens) plus the `.md`
extension for markdown:
cp ./src/content/blog/TEMPLATE ./src/content/blog/<slug>.md
2. Write the blog post. Addicionally, you will have to fill the _frontmatter_.
Commented lines in the _frontmatter_ with `#` are optional. But it's a good
idea to fill some of them, namely:
- `signer.name` - Can be used to find your public key in Keyserver for
example;
- `signer.email` - Can be used to find your public key in Keyserver, or from
a signed e-mail that the user might have recieved;
- `signer.website[]` - Can be used to get your public key from the website's
certificate assuming it uses TLS, or from your GitHub's profile,
<https://keybase.io/>, or by reading the DNS records, the website uses WKD
protocol. Basically for signature statements;
- `signer.publickey.armor` - Your public key in ASCII armor format so that
they can import it;
- `signer.publickey.url` - URL to your public key for people to download from
and import it;
- `signer.publickey.keyID` - Your public key ID to find your public key in
Keyserver for example;
- `signer.publickey.fingerprint` - Your public key fingerprint;
- `signer.publickey.keyserver[]` - Key servers where we can find your public
key.
The _frontmatters_ are either in [TOML or YAML format][md in astro].
3. Sign that blog post with OpenPGP creating a detached signature with the file
extension `.sig` for binary signatures and `.asc` for ASCII armored
signatures, on the same directory as the blog `.md` file:
gpg -b ./src/content/blog/<slug>.md
Perfer [these][web crypto algs] algorithms.
4. Commit the new blog post plus the signature.
5. The `.md` blog post file, its signature, and your public key are now
available to the website user. We can download them, import the key and
verify themselves:
gpg --import publickey.asc
gpg --search-keys <name>
gpg --recv-keys 0x<keyID>
gpg --auto-key-locate wkd,keyserver --locate-keys <name>
gpg --verify ./src/content/blog/<slug>.md.sig ./src/content/blog/<slug>.md
The UI will show all the `signer` information from the _frontmatter_ plus,
the commit who created the signature plus the signature of that commit, the
QR code for the public key, download everything as an archive option and a
label based on this:
- good: signed + verified signature + trust level
- warning: signed + verified signature + untrusted
- warning: signed + verified signature + key revoked + when time of
revocation after time of signature + backdate fake signatures
- error: signed + verified signature + key revoked + date of revocation +
when time of revocation before time of signature
- error: signed + unverifiable
- warning: signed + not recognized
- error: unsigned
[blog dir]: /src/content/blog "Blogs directory"
[blog template]: /src/content/blog/TEMPLATE "Blog Markdown template"
[web crypto algs]: https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/sign#algorithm "Supported signing algorithms by the Web Crypto API"
[md in astro]: https://docs.astro.build/en/guides/markdown-content/#importing-markdown "Importing Markdown in Astro"
|
