Verify Saltire Signal pages

Saltire Signal publishes detached signatures so readers, archives and aggregators can check that a page came from saltiresignal.co.uk and has not been altered after publication.

One-command check

From this repository, run:

node scripts/verify-page.mjs https://saltiresignal.co.uk/

OpenSSH check

The public key is at /.well-known/saltire-signal.pub. OpenSSH verifies against an allowed-signers file, so create one line with the identity and key:

curl -fsS https://saltiresignal.co.uk/ -o page.html
curl -fsS https://saltiresignal.co.uk/index.html.sig -o page.html.sig
curl -fsS https://saltiresignal.co.uk/.well-known/saltire-signal.pub -o saltire-signal.pub
printf 'anyone %s\n' "$(cat saltire-signal.pub)" > allowed_signers
perl -0pi -e 's/\s*<meta name="saltire-signature"[^>]*>\s*/\n/g; s/\s*<link rel="signature"[^>]*>\s*/\n/g' page.html
ssh-keygen -Y verify -f allowed_signers -I anyone -n saltire-signal-content -s page.html.sig < page.html

Check this page

Use the browser check below for a quick local test. For high assurance, use the command-line verifier above.

Verify this page

Registry

The key registry is published at provenance.json. The build manifest for the current deployment is at saltire-signal-manifest.json.