Signing Webpages with GnuPG
Inspired by this old post from Rob Smith
I have started making some changes to the blog. All of the pages are now signed
using my GPG key, and can be verified by running
curl https://www.brianlane.com/ | gpg --verify
on the page.
Rob did this by adding a plugin to Jekyll, but I’m using the Pelican static blog
system for these pages,
and as far as I can tell Pelican’s plugin support has no way to make sure your plugin is the final one being executed. It
ends up being simpler to just run a bash script on all of the html pages using find ./output/ -name '*.html' -exec ./sign_page {} \;
The script looks like this:
#!/usr/bin/bash
## Yes, I'm using bash. It's easier.
echo "GPG Signing $1"
# Add the comments so they get signed
printf "\n-->\n" > $1.tmp
cat $1 >> $1.tmp
printf "\n<!--\n" >> $1.tmp
gpg2 -a --clearsign $1.tmp || exit 1
# Add the rest of the comments, outside the signature
printf "\n<!--\n" > $1
cat $1.tmp.asc >> $1
printf "\n-->\n" >> $1
rm $1.tmp
rm $1.tmp.asc
Make sure you have gpg-agent installed and running so that you only have to unlock your gpg key once for all of the output files, instead of for every one.