PUBKEY-PGP.asc | 12 ------------ PUBKEY-SSH.pub.asc | 9 +++++---- doc/integrity.texi | 32 +++++--------------------------- makedist | 1 - diff --git a/PUBKEY-PGP.asc b/PUBKEY-PGP.asc deleted file mode 100644 index 8aab43173463d32f827b498227cb8ba64649f548ae6bbbd208a74a002e1f06c7..0000000000000000000000000000000000000000 --- a/PUBKEY-PGP.asc +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mDMEZNYyOhYJKwYBBAHaRw8BAQdA67+poAzLTVmjjhjTmwEKbObE7+QPHIlIKeqB -rSlGqxq0LHRvZnVwcm94eSByZWxlYXNlcyA8dG9mdXByb3h5QHN0YXJncmF2ZS5v -cmc+iI4EExYKADYCGwMECwkKBwIiAgIVCgQWAgEAAh4HAheAFiEENHfTKSx3W/Od -qg4HWSHVlqMy+EQFAmTWMmoACgkQWSHVlqMy+ESH3QEAqjT0p/3VyvNiHfFSCeTg -8tiWr9rih8uCRnHmi4TcuA4BAKW4Db22XQ7u9xrdiH10jrOamFnYtbqsdJPQMUgh -6gIAiHUEEBYKAB0WIQQSrTJonGYNQmln/XXLggVjIQetigUCZNYyhAAKCRDLggVj -IQetipNVAQDQLJ4HCRx4aXBTW+ORwOIx/KvL2d8K9L/s1SHecWCtVAD+MONev0wj -WiY3s2T5d5qAya19Bw9k5Ox0Pcq7XNrBBgQ= -=cIlF ------END PGP PUBLIC KEY BLOCK----- diff --git a/PUBKEY-SSH.pub.asc b/PUBKEY-SSH.pub.asc index e14523fde4eb15b72f17d540813ce1e94bf50d3a6dadb3466676ca4e1c25f113..e88acdeda5b4a5a65cf7c699e2cd6bd3b76b42c523ef81cef63b8e97758a333a 100644 --- a/PUBKEY-SSH.pub.asc +++ b/PUBKEY-SSH.pub.asc @@ -1,7 +1,8 @@ -----BEGIN PGP SIGNATURE----- -iI4EABYKADYWIQQ0d9MpLHdb852qDgdZIdWWozL4RAUCZNYy9hgcdG9mdXByb3h5 -QHN0YXJncmF2ZS5vcmcACgkQWSHVlqMy+ES7RgEAgXxAD1LRvH1oMZxbb/9Z2/bo -r933/GUiVvYqcC3dbS8BAMebsfKiNwUvQOKUENtOqYjwyraX/HSdc6/WY6X6jVQK -=GohX +iJEEABYKADkWIQTbL/jtRAp+lJhvt3bSI36ECQhstwUCacJyPxsUgAAAAAAEAA5t +YW51MiwyLjUrMS4xMiwyLDMACgkQ0iN+hAkIbLeuIAEA5QgypAjeMRItnmyM5cSp +Cp1phDWKvt+f5Fs+aAs9duoA/39hOCyoyQYx4WziQvjSfCpXetfjPovVzxbpBlSP +9NoA +=GrcE -----END PGP SIGNATURE----- diff --git a/doc/integrity.texi b/doc/integrity.texi index 7b84b0b18184248956c66278a7260d41e9eb0ff98913b4f93f0a54a542363fbe..9577dff4c4d902968b976c230a11dfdaf4fbf46276e435d082d188b62fe940ff 100644 --- a/doc/integrity.texi +++ b/doc/integrity.texi @@ -1,34 +1,12 @@ You @strong{have to} verify downloaded tarballs authenticity to be sure -that you retrieved trusted and untampered software. There are two options: - -@table @asis - -@item @url{https://librepgp.org/, LibrePGP} @file{.asc} signature - Use @url{https://www.gnupg.org/, GNU Privacy Guard} free software - implementation. - For the very first time it is necessary to get signing public key and - import it. It is provided @url{PUBKEY-PGP.asc, here}, but you should - check alternate resources. - -@verbatim -pub ed25519/0x5921D596A332F844 2023-08-11 - 3477 D329 2C77 5BF3 9DAA 0E07 5921 D596 A332 F844 -uid tofuproxy releases -@end verbatim - -@example -$ gpg --auto-key-locate dane --locate-keys tofuproxy@@stargrave.org -$ gpg --auto-key-locate wkd --locate-keys tofuproxy@@stargrave.org -@end example +that you retrieved trusted and untampered software. -@item @url{https://www.openssh.com/, OpenSSH} @file{.sig} signature - @url{PUBKEY-SSH.pub, Public key} and its LibrePGP - @url{PUBKEY-SSH.pub.asc, signature} made with the key above. - Its fingerprint: @code{SHA256:NIDt9iZUizwivY3GoxmGvbQTH7mz/dmV7ZFOXeYfa2o}. +@url{https://www.openssh.com/, OpenSSH} @file{.sig} signature, +@url{PUBKEY-SSH.pub, Public key} and its LibrePGP +@url{PUBKEY-SSH.pub.asc, signature} made with the key above. +Its fingerprint: @code{SHA256:NIDt9iZUizwivY3GoxmGvbQTH7mz/dmV7ZFOXeYfa2o}. @example $ ssh-keygen -Y verify -f PUBKEY-SSH.pub -I tofuproxy@@stargrave.org -n file \ -s tofuproxy-@value{VERSION}.tar.zst.sig tofuproxy-"$release".tar zstd -22 --ultra -v tofuproxy-"$release".tar tarball=tofuproxy-"$release".tar.zst ssh-keygen -Y sign -f ~/.ssh/sign/tofuproxy@stargrave.org -n file $tarball -gpg --armor --detach-sign --sign --local-user 3477D3292C775BF39DAA0E075921D596A332F844 "$tarball" meta4ra-create -fn "$tarball" -mtime "$tarball" \ -sig-pgp "$tarball".asc -sig-ssh "$tarball".sig \ "1|ru|http://www.tofuproxy.stargrave.org/download/$tarball" \