Nerde Nolzda

Zeronet Offline Signing

As can be seen here, this site now has a Zeronet mirror. In the process of creating the mirror, I figured it would be nice to sign the site (content.json) on a separate vault VM in Qubes OS so that the chances of the private key leaking is minimalized. However, there did not seem to be any articles about achieving such a thing at the time. As such, I will document my method in the following article.

  1. Create a (vault) VM and install Zeronet on it
    The official insturctions are here. It is recommended, however, that you use git clone to clone the repo and verify the signatures before running.
    To verify the signature of the repo:
    cd ZeroNet/
    # Fetch the keys, the hex string is the public key at the time of writing
    gpg --recv-keys 960FFF2D6C145AA613E8491B5B63BAE6CB9613AE
    # Get latest commit
    COMMIT=`git log --oneline | head -n 1 | cut -f 1 -d ' '`
    # Verify the signature
    git verify-commit "$COMMIT"
    # If the command above outputs "Good signature", checkout the commit
    git checkout $COMMIT
  2. Cut off Internet access to the VM (i.e. set firewallVm to none)
  3. Create a key pair
    # Remember to save the private key somewhere safe
    ./ siteCreate
  4. Modify the site
    Copy the files to data/[YOUR-PUBLIC-KEY].
  5. Sign the site
    # This will ask for your private key
    ./ siteSign [YOUR-PUBLIC-KEY]
  6. Install Zeronet on another VM (You may have to have your port opened. Link and link)
  7. Copy your site directory (data/[YOUR-PUBLIC-KEY]) from the vault to the same directory on the Internet-connected VM
  8. Publish the site
    ./ sitePublish [YOUR-PUBLIC-KEY]

And you’re finished. In theory, it should be possible to use qrexec and create something similar to split GPG in order to make the process simpler, and is definitely something I should look into.

Related Posts


Post a comment

Send an email to