As can be seen here, this site now has a Zeronet mirror. In the process of creating the mirror, I figured it would be nice to sign the site (
content.json) on a separate vault VM in Qubes OS so that the chances of the private key leaking is minimalized. However, there did not seem to be any articles about achieving such a thing at the time. As such, I will document my method in the following article.
- Create a (vault) VM and install Zeronet on it
The official insturctions are here. It is recommended, however, that you use
git clone https://github.com/HelloZeroNet/ZeroNet.git to clone the repo and verify the signatures before running.
To verify the signature of the repo:
# Fetch the keys, the hex string is the public key at the time of writing
gpg --recv-keys 960FFF2D6C145AA613E8491B5B63BAE6CB9613AE
# Get latest commit
COMMIT=`git log --oneline | head -n 1 | cut -f 1 -d ' '`
# Verify the signature
git verify-commit "$COMMIT"
# If the command above outputs "Good signature", checkout the commit
git checkout $COMMIT
- Cut off Internet access to the VM (i.e. set firewallVm to none)
- Create a key pair
# Remember to save the private key somewhere safe
- Modify the site
Copy the files to
- Sign the site
# This will ask for your private key
./zeronet.py siteSign [YOUR-PUBLIC-KEY]
- Install Zeronet on another VM (You may have to have your port opened. Link and link)
- Copy your site directory (
data/[YOUR-PUBLIC-KEY]) from the vault to the same directory on the Internet-connected VM
- Publish the site
./zeronet.py sitePublish [YOUR-PUBLIC-KEY]
And you’re finished. In theory, it should be possible to use qrexec and create something similar to split GPG in order to make the process simpler, and is definitely something I should look into.