AltSci Concepts

Computer Journal

Computer Journal
Website Signature Verifier
by Joel R. Voss aka. Javantea
Nov 13, 2005

Site Sign 0.3 Source [sig]


Sends an e-mail when your site has a cryptographic error. This is good to detect changes, intrusions, and mistakes. There are three levels of testing:

Level 1: Check that remote page concurs with remote signature.
Level 1 ensures that someone has signed the file with a key that we have in our public keyring. Level 1 ensures that if your page is changed, it is because of an intended change and has been signed by the developer. Level 1 is not a perfect guarantee of security since an attacker who is in your public keyring could sign it with their key and Level 1 would pass.

Level 2: Check that the remote page has been signed with the correct key.
Level 2 fills the hole that Level 1 leaves: it ensures that the keyid is the same. If an attacker has the same key ID as you (unlikely), then Level 2 will be attackable.

Level 3: Check that the remote page has been signed with the local key.
Level 3 fills the gap that Level 1 and 2 leave: it ensures that the page has not changed since we updated the local signature. This is more involved than the other levels because it requires you to update the remote server with the signature every time you update the page.


This program requires Bash, GnuPG, Curl, and Mail. If you get errors saying that -a doesn't exist, you're probably not using bash. call site_sign.sh with bash explicitly to get around this problem.


gen_index_sig1.sh is the script that generates the signature for the index file. It is terrifically simple:
gpg -a -b index.html
This creates a detached signature: index.html.asc
To pass Level 3, you need to run:

scp index.html.asc $REMOTE_SERVER:$TESTDIR/index.html.asc.local

Before it works you need to get the public key in your keyring. If you're using the example of altsci.com, simply import jvoss.asc like this: gpg --import jvoss.asc

You will _definitely_ need to edit the first 5 variables in site_sign.sh:

# TESTDIR is the directory to do the testing.
# You need write access.

# FILE is the remote file that you wish to test.

# SITE is the server that you wish to test.

# KEY is the Key ID that you wish to ensure in Level 2.

# EMAIL is the address that you wish to send an 
# e-mail to when a compromise has been found.

If you're using this for your own server, you'll need to use a key from your own server. You need to export the public key and copy it to the destination server.

# Export the key.
gpg -a --export $KEY > key.asc

# Copy the key to the remote server.
scp key.asc $REMOTE_SERVER

# SSH into to the remote server.

# Import the key.
gpg --import key.asc

If you are interested in developing Website Signature Verifier, feel free to e-mail me.

Mod level: -1 0 1 2 3 4 5


Modded: 0
by NjSZuHkGRQzW on 06/26/11
I wanted to spend a mnuite to thank you for this.
Modded: 0
by mLAuqqmSgmi on 08/09/11
I'm impressed! You've managed the almost imposisble.
Modded: 0
by TepcEwhbHoI on 08/09/11
Holy Toledo, so glad I cilkecd on this site first!
Modded: 0
by CQMpnFDWekxZhnbBchG on 08/09/11
That's way the bestest anwesr so far!
Modded: 0
by wJPUSkAQNn on 08/09/11
This is way more helpful than anything else I've looekd at.
Modded: 0
by fHXVYwwdublFXa on 08/09/11
Dude, right on there borhter.
Modded: 0
by NGxeqdbZHDJpWxYzioN on 08/09/11
Now that's sbtlue! Great to hear from you.
Modded: 0
by ZvGTxHTJZOFFziWM on 08/10/11
No more s***. All posts of this quailty from now on
Modded: 0
by ubsYwDzuqbUhEE on 08/10/11
Your arctlie perfectly shows what I needed to know, thanks!
Modded: 0
by AoWuCAEYBAtWXm on 08/10/11
I'm really into it, tahkns for this great stuff!
Modded: 0
by IYnMbiGYETqqmLjLn on 08/10/11
Posts like this brighten up my day. Thanks for tkiang the time.
Modded: 0
by wYtKZMPg on 08/10/11
Thanky Thanky for all this good ifnoramtoin!
Modded: 0
by thetTUWCB on 01/03/12
That takes us up to the next level. Great potisng.
Modded: 0
by ItpwnZAdwiHe on 01/03/12
It's alawys a pleasure to hear from someone with expertise.
Modded: 0
by URBUBitgIMagnGxs on 01/03/12
Haha, shuoldn't you be charging for that kind of knowledge?!
Modded: 0
by oywSOGLEvqt on 01/04/12
Thanks for contributing. It's helped me udenrtsnad the issues.
Modded: 0
by HlGKGOJOnkpERTFrUGO on 07/21/12
ohai TheSkorm. I'd rather shit a brick than deal with your nasty gpg key. Kthxbai. Can haz irc.But sesrouily, I haven't seen you on much, and I'm on when it's 22:00-06:00 hours a lot so you have no excuse bub.Run spell check on your posts, it's bare not bear, unless you're into stuffed animals and are 6, then get with the program, you dolt!
Modded: 0
by ODcxwUTLw on 07/22/12
If you checkout Dropbox’s Linux dwnalood page, you will see that Debian packages are provided. Up to a few days ago, they only provided packages for Ubuntu and Fedora. Read more here
Post a comment
Your Name: Login



RSS Feed
Home | Login | Others