PUBKEY-PGP.asc | 12 ++++++++++++ PUBKEY-SSH.pub | 1 + PUBKEY-SSH.pub.asc | 8 ++++++++ doc/download.texi | 5 +++-- doc/install.texi | 10 +++------- doc/integrity.texi | 34 ++++++++++++++++++++++++++++++++++ doc/www.do | 2 +- makedist | 11 +++++++---- diff --git a/PUBKEY-PGP.asc b/PUBKEY-PGP.asc new file mode 100644 index 0000000000000000000000000000000000000000..79dce7c44f90160b60c32bd5f36c3c95e763c291ff0f593d023f12ea0d23776a --- /dev/null +++ b/PUBKEY-PGP.asc @@ -0,0 +1,12 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mDMEZNX0PxYJKwYBBAHaRw8BAQdAjqIcK22xCUdd+5yNnsir/dQTuNkNY/pSvWs4 +0ioQeXe0LXRvZnVwcm94eSByZWxlYXNlcyA8dG9mdXByb3h5QGN5cGhlcnB1bmtz +LnJ1PoiOBBMWCgA2AhsDBAsJCgcCIgICFQoEFgIBAAIeBwIXgBYhBELHuGpKfcRL +g3xDQ4HL+wBxR4UWBQJk1fSTAAoJEIHL+wBxR4UWsAwA/jzeKUvXSTiG+6UDB8R/ +lfue4FKQJq+ngFAcfn+SSao8AQClRp4saZntAY1pQ4vvmCblpJDbd+VYIDdesOHe +K+3YDYh1BBAWCgAdFiEEEq0yaJxmDUJpZ/11y4IFYyEHrYoFAmTV9P8ACgkQy4IF +YyEHrYpP8AEA7B/jnpfvmV3pFSGSMLZqPUo2CCrLPzdMOJJEvq1FCIcA/18cnROY +SgUDbIvSWzPeyJR53Swpd7dsEcAZssJCxHsE +=4gmV +-----END PGP PUBLIC KEY BLOCK----- diff --git a/PUBKEY-SSH.pub b/PUBKEY-SSH.pub new file mode 100644 index 0000000000000000000000000000000000000000..f345dc32f11b5dec544ff349e558645599f656aef20c57c30d475c2d9cbe1216 --- /dev/null +++ b/PUBKEY-SSH.pub @@ -0,0 +1 @@ +tofuproxy@cypherpunks.ru ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoLFahYbMEPEjbknT4EMbBvWLK3OOfTvm+qOITY/Dxk diff --git a/PUBKEY-SSH.pub.asc b/PUBKEY-SSH.pub.asc new file mode 100644 index 0000000000000000000000000000000000000000..e88bb76789ec007af13ae258e8754b5db308dd856d7c825506373d9b0b1a9434 --- /dev/null +++ b/PUBKEY-SSH.pub.asc @@ -0,0 +1,8 @@ +-----BEGIN PGP SIGNATURE----- + +iI8EABYKADcWIQRCx7hqSn3ES4N8Q0OBy/sAcUeFFgUCZNX7MxkcdG9mdXByb3h5 +QGN5cGhlcnB1bmtzLnJ1AAoJEIHL+wBxR4UWm9cBAL7vim1KF1tcJb/d7MVAoovP +QyUbcDSqbebws5hLK9gsAPoC5vhtaVW1H/O8DzcBHtt1Ix9HkQGrBezE+DSSQ/EE +BQ== +=f3Zr +-----END PGP SIGNATURE----- diff --git a/doc/download.texi b/doc/download.texi index 91113603c003bc4899411a68d5b1c6dbe0878f60d48e3a2172c8968ac6f621ce..39e4991151e0404e5cae08e4da604554d63d15de78b65c912740c0225fd391b0 100644 --- a/doc/download.texi +++ b/doc/download.texi @@ -1,9 +1,10 @@ -@multitable {XXXXX} {XXXX-XX-XX} {XXXX KiB} {meta4 tar sig} +@multitable {XXXXX} {XXXX-XX-XX} {XXXX KiB} {meta4 tar pgp ssh} @headitem Version @tab Date @tab Size @tab Tarball @item 0.1.0 @tab 2023-03-20 @tab 672 KiB @tab @url{download/tofuproxy-0.1.0.tar.zst.meta4, meta4} @url{download/tofuproxy-0.1.0.tar.zst, tar} -@url{download/tofuproxy-0.1.0.tar.zst.asc, asc} +@url{download/tofuproxy-0.1.0.tar.zst.asc, pgp} +@url{download/tofuproxy-0.1.0.tar.zst.sig, ssh} @end multitable diff --git a/doc/install.texi b/doc/install.texi index ab2646287807a16089758f80e04a4aa11dcb47413a437ce4d3fa8ac33a196dc2..b900fbfbe63152064e25505471850254c1751bc655356ce23c786586f5654975 100644 --- a/doc/install.texi +++ b/doc/install.texi @@ -8,19 +8,15 @@ WARCs support. @example $ [fetch|wget] http://www.tofuproxy.stargrave.org/download/tofuproxy-@value{VERSION}.tar.zst -$ [fetch|wget] http://www.tofuproxy.stargrave.org/download/tofuproxy-@value{VERSION}.tar.zst.asc -$ gpg --verify tofuproxy-@value{VERSION}.tar.zst.asc tofuproxy-@value{VERSION}.tar.zst +$ [fetch|wget] http://www.tofuproxy.stargrave.org/download/tofuproxy-@value{VERSION}.tar.zst.@{asc,sig@} +[verify signature] $ zstd -d < tofuproxy-@value{VERSION}.tar.zst | tar xf - $ cd tofuproxy-@value{VERSION} $ ./build @end example @include download.texi - -You @strong{have to} verify downloaded tarballs integrity and -authenticity to be sure that you retrieved trusted and untampered -software. @url{https://www.gnupg.org/, GNU Privacy Guard} is used -for that purpose. +@include integrity.texi Also there is @url{https://yggdrasil-network.github.io/, Yggdrasil} accessible address: @url{http://y.www.tofuproxy.stargrave.org}. diff --git a/doc/integrity.texi b/doc/integrity.texi new file mode 100644 index 0000000000000000000000000000000000000000..13d995a24ab1a072a38482c09402c58fccd7817cd0f3afb2d9529705c299841a --- /dev/null +++ b/doc/integrity.texi @@ -0,0 +1,34 @@ +You @strong{have to} verify downloaded tarballs authenticity to be sure +that you retrieved trusted and untampered software. There are two options: + +@table @asis + +@item @url{https://www.openpgp.org/, OpenPGP} @file{.asc} signature + Use @url{https://www.gnupg.org/, GNU Privacy Guard} free software + implementation. + For the very first time it is necessary to get signing public key and + import it. It is provided @url{PUBKEY-PGP.asc, here}, but you should + check alternate resources. + +@verbatim +pub ed25519/0x81CBFB0071478516 2023-08-11 + 42C7 B86A 4A7D C44B 837C 4343 81CB FB00 7147 8516 +uid tofuproxy releases +@end verbatim + +@example +$ gpg --auto-key-locate dane --locate-keys tofuproxy at cypherpunks dot ru +$ gpg --auto-key-locate wkd --locate-keys tofuproxy at cypherpunks dot ru +@end example + +@item @url{https://www.openssh.com/, OpenSSH} @file{.sig} signature + @url{PUBKEY-SSH.pub, Public key} and its OpenPGP + @url{PUBKEY-SSH.pub.asc, signature} made with the key above. + Its fingerprint: @code{SHA256:TFmIjNNqfRmyz7gq/ajvsmz6CAvs1FEAvgDZk3zNDy8}. + +@example +$ ssh-keygen -Y verify -f PUBKEY-SSH.pub -I tofuproxy@@cypherpunks.ru -n file \ + -s tofuproxy-@value{VERSION}.tar.zst.sig < tofuproxy-@value{VERSION}.tar.zst +@end example + +@end table diff --git a/doc/www.do b/doc/www.do index 7cb8b3423ae51a5fed8bd459de723150589a6231f69b8364980beb427180b5cd..c484cf3b003d084afeb71a098825af02c92521dc168bdd2201c54357323b70df 100644 --- a/doc/www.do +++ b/doc/www.do @@ -10,6 +10,6 @@ --set-customization-variable FORMAT_MENU=menu \ --set-customization-variable DATE_IN_HEADER=1 \ --set-customization-variable ASCII_PUNCTUATION=1 \ --output $html index.texi -cp -a *.webp $html/ +cp -a *.webp ../PUBKEY-* $html/ find $html -type d -exec chmod 755 {} + find $html -type f -exec chmod 644 {} + diff --git a/makedist b/makedist index 5c2f868581d78fa674c8040cc2e125460bfd619e5b74181a26e8a4eb772fb719..a8aeef9b6246eb801c30d7266ce902b1e43441f51d0bc958a5e5237e5fcb9a65 100755 --- a/makedist +++ b/makedist @@ -57,8 +57,10 @@ cd .. tar cvf tofuproxy-"$release".tar --uid=0 --gid=0 --numeric-owner tofuproxy-"$release" zstd -19 -v tofuproxy-"$release".tar tarball=tofuproxy-"$release".tar.zst -gpg --armor --detach-sign --sign --local-user 12AD32689C660D426967FD75CB8205632107AD8A "$tarball" -meta4-create -fn "$tarball" -mtime "$tarball" -sig "$tarball".asc \ +ssh-keygen -Y sign -f ~/.ssh/sign/tofuproxy@cypherpunks.ru -n file $tarball +gpg --armor --detach-sign --sign --local-user 42C7B86A4A7DC44B837C434381CBFB0071478516 "$tarball" +meta4-create -fn "$tarball" -mtime "$tarball" \ + -sig-pgp "$tarball".asc -sig-ssh "$tarball".sig \ http://www.tofuproxy.stargrave.org/download/"$tarball" \ http://y.www.tofuproxy.stargrave.org/download/"$tarball" < "$tarball" > "$tarball".meta4 @@ -71,7 +73,8 @@ An entry for documentation: @item $release @tab $release_date @tab $size KiB @tab @url{download/$tarball.meta4, meta4} @url{download/$tarball, tar} - @url{download/$tarball.asc, sig} + @url{download/$tarball.asc, pgp} + @url{download/$tarball.asc, ssh} EOF -mv $tmp/$tarball $tmp/"$tarball".asc $tarball.meta4 $cur/doc/tofuproxy.html/download +mv $tmp/$tarball $tmp/"$tarball".asc $tmp/"$tarball".sig $tarball.meta4 $cur/doc/tofuproxy.html/download