Signing Webpages with GnuPG

Inspired by this old post from Rob Smith I have started making some changes to the blog. All of the pages are now signed using my GPG key, and can be verified by running curl https://www.brianlane.com/ | gpg --verify on the page.

Rob did this by adding a plugin to Jekyll, but I’m using the Pelican static blog system for these pages, and as far as I can tell Pelican’s plugin support has no way to make sure your plugin is the final one being executed. It ends up being simpler to just run a bash script on all of the html pages using find ./output/ -name '*.html' -exec ./sign_page {} \;

The script looks like this:

#!/usr/bin/bash
## Yes, I'm using bash. It's easier.
echo "GPG Signing $1"
# Add the comments so they get signed
printf "\n-->\n" > $1.tmp
cat $1 >> $1.tmp
printf "\n<!--\n" >> $1.tmp
gpg2 -a --clearsign $1.tmp || exit 1
# Add the rest of the comments, outside the signature
printf "\n<!--\n" > $1
cat $1.tmp.asc >> $1
printf "\n-->\n" >> $1
rm $1.tmp
rm $1.tmp.asc

Make sure you have gpg-agent installed and running so that you only have to unlock your gpg key once for all of the output files, instead of for every one.