Signing decentralized websites

cqcallaw cqcallaw at
Fri Nov 20 20:13:22 CET 2020

Hi all,

I want to sign my decentralized website, hosted on IPFS + Ethereum Name Service (ENS). PGP detached signatures for every published file seems to be the correct solution. Inline signatures would make validation of HTML documents difficult and binary files would become invalid. Signing the root IPFS CID might work, but would require substantial updates to ENS or an external Ethereum smart contract. Signing a subset of files isn't enough, because corrupted or inauthentic unsigned files could be bundled together with the signed subset and published as authentic.

Assuming folks agree with this analysis, I have two additional questions:

1) What's the best way to sign multiple files in parallel? I have 16 CPU threads and would like to take advantage of these (mostly idle) threads to speed up the signing process. GNU parallel and Python's multiprocessing module are behaving oddly, though; when they run gpg in parallel, I'm prompted for my PGP key's password multiple times. I'm running gpg-agent, so I'd expect to be prompted for my password only once. I also observe intermittent memory allocation errors. The --lock-once and --lock-multiple CLI options don't seem to change the behavior. Is there some implementation issue with running multiple gpg signing operations in parallel?

2) Are there any tools to verify detached signatures in the browser? As a user, I'd like my browser to check for a signature file and verify any discovered signatures with any available trusted keys. If a trusted key isn't found, I'd like my browser to check for a pubkey in some known location (e.g. <root cid="">/pubkey.asc) and allow me to trust the bundled pubkey if I so desire. I'd expect browser security considerations to necessitate a separate key store for keys used in the browser, but that's an acceptable solution for me if a key import workflow exists. Does anything like this exist?


More information about the Gnupg-users mailing list