--- /dev/null
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEZNX0PxYJKwYBBAHaRw8BAQdAjqIcK22xCUdd+5yNnsir/dQTuNkNY/pSvWs4
+0ioQeXe0LXRvZnVwcm94eSByZWxlYXNlcyA8dG9mdXByb3h5QGN5cGhlcnB1bmtz
+LnJ1PoiOBBMWCgA2AhsDBAsJCgcCIgICFQoEFgIBAAIeBwIXgBYhBELHuGpKfcRL
+g3xDQ4HL+wBxR4UWBQJk1fSTAAoJEIHL+wBxR4UWsAwA/jzeKUvXSTiG+6UDB8R/
+lfue4FKQJq+ngFAcfn+SSao8AQClRp4saZntAY1pQ4vvmCblpJDbd+VYIDdesOHe
+K+3YDYh1BBAWCgAdFiEEEq0yaJxmDUJpZ/11y4IFYyEHrYoFAmTV9P8ACgkQy4IF
+YyEHrYpP8AEA7B/jnpfvmV3pFSGSMLZqPUo2CCrLPzdMOJJEvq1FCIcA/18cnROY
+SgUDbIvSWzPeyJR53Swpd7dsEcAZssJCxHsE
+=4gmV
+-----END PGP PUBLIC KEY BLOCK-----
--- /dev/null
+tofuproxy@cypherpunks.ru ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoLFahYbMEPEjbknT4EMbBvWLK3OOfTvm+qOITY/Dxk
--- /dev/null
+-----BEGIN PGP SIGNATURE-----
+
+iI8EABYKADcWIQRCx7hqSn3ES4N8Q0OBy/sAcUeFFgUCZNX7MxkcdG9mdXByb3h5
+QGN5cGhlcnB1bmtzLnJ1AAoJEIHL+wBxR4UWm9cBAL7vim1KF1tcJb/d7MVAoovP
+QyUbcDSqbebws5hLK9gsAPoC5vhtaVW1H/O8DzcBHtt1Ix9HkQGrBezE+DSSQ/EE
+BQ==
+=f3Zr
+-----END PGP SIGNATURE-----
-@multitable {XXXXX} {XXXX-XX-XX} {XXXX KiB} {meta4 tar sig}
+@multitable {XXXXX} {XXXX-XX-XX} {XXXX KiB} {meta4 tar pgp ssh}
@headitem Version @tab Date @tab Size @tab Tarball
@item 0.1.0 @tab 2023-03-20 @tab 672 KiB @tab
@url{download/tofuproxy-0.1.0.tar.zst.meta4, meta4}
@url{download/tofuproxy-0.1.0.tar.zst, tar}
-@url{download/tofuproxy-0.1.0.tar.zst.asc, asc}
+@url{download/tofuproxy-0.1.0.tar.zst.asc, pgp}
+@url{download/tofuproxy-0.1.0.tar.zst.sig, ssh}
@end multitable
@example
$ [fetch|wget] http://www.tofuproxy.stargrave.org/download/tofuproxy-@value{VERSION}.tar.zst
-$ [fetch|wget] http://www.tofuproxy.stargrave.org/download/tofuproxy-@value{VERSION}.tar.zst.asc
-$ gpg --verify tofuproxy-@value{VERSION}.tar.zst.asc tofuproxy-@value{VERSION}.tar.zst
+$ [fetch|wget] http://www.tofuproxy.stargrave.org/download/tofuproxy-@value{VERSION}.tar.zst.@{asc,sig@}
+[verify signature]
$ zstd -d < tofuproxy-@value{VERSION}.tar.zst | tar xf -
$ cd tofuproxy-@value{VERSION}
$ ./build
@end example
@include download.texi
-
-You @strong{have to} verify downloaded tarballs integrity and
-authenticity to be sure that you retrieved trusted and untampered
-software. @url{https://www.gnupg.org/, GNU Privacy Guard} is used
-for that purpose.
+@include integrity.texi
Also there is @url{https://yggdrasil-network.github.io/, Yggdrasil}
accessible address: @url{http://y.www.tofuproxy.stargrave.org}.
--- /dev/null
+You @strong{have to} verify downloaded tarballs authenticity to be sure
+that you retrieved trusted and untampered software. There are two options:
+
+@table @asis
+
+@item @url{https://www.openpgp.org/, OpenPGP} @file{.asc} signature
+ Use @url{https://www.gnupg.org/, GNU Privacy Guard} free software
+ implementation.
+ For the very first time it is necessary to get signing public key and
+ import it. It is provided @url{PUBKEY-PGP.asc, here}, but you should
+ check alternate resources.
+
+@verbatim
+pub ed25519/0x81CBFB0071478516 2023-08-11
+ 42C7 B86A 4A7D C44B 837C 4343 81CB FB00 7147 8516
+uid tofuproxy releases <tofuproxy@cypherpunks.ru>
+@end verbatim
+
+@example
+$ gpg --auto-key-locate dane --locate-keys tofuproxy at cypherpunks dot ru
+$ gpg --auto-key-locate wkd --locate-keys tofuproxy at cypherpunks dot ru
+@end example
+
+@item @url{https://www.openssh.com/, OpenSSH} @file{.sig} signature
+ @url{PUBKEY-SSH.pub, Public key} and its OpenPGP
+ @url{PUBKEY-SSH.pub.asc, signature} made with the key above.
+ Its fingerprint: @code{SHA256:TFmIjNNqfRmyz7gq/ajvsmz6CAvs1FEAvgDZk3zNDy8}.
+
+@example
+$ ssh-keygen -Y verify -f PUBKEY-SSH.pub -I tofuproxy@@cypherpunks.ru -n file \
+ -s tofuproxy-@value{VERSION}.tar.zst.sig < tofuproxy-@value{VERSION}.tar.zst
+@end example
+
+@end table
--set-customization-variable DATE_IN_HEADER=1 \
--set-customization-variable ASCII_PUNCTUATION=1 \
--output $html index.texi
-cp -a *.webp $html/
+cp -a *.webp ../PUBKEY-* $html/
find $html -type d -exec chmod 755 {} +
find $html -type f -exec chmod 644 {} +
tar cvf tofuproxy-"$release".tar --uid=0 --gid=0 --numeric-owner tofuproxy-"$release"
zstd -19 -v tofuproxy-"$release".tar
tarball=tofuproxy-"$release".tar.zst
-gpg --armor --detach-sign --sign --local-user 12AD32689C660D426967FD75CB8205632107AD8A "$tarball"
-meta4-create -fn "$tarball" -mtime "$tarball" -sig "$tarball".asc \
+ssh-keygen -Y sign -f ~/.ssh/sign/tofuproxy@cypherpunks.ru -n file $tarball
+gpg --armor --detach-sign --sign --local-user 42C7B86A4A7DC44B837C434381CBFB0071478516 "$tarball"
+meta4-create -fn "$tarball" -mtime "$tarball" \
+ -sig-pgp "$tarball".asc -sig-ssh "$tarball".sig \
http://www.tofuproxy.stargrave.org/download/"$tarball" \
http://y.www.tofuproxy.stargrave.org/download/"$tarball" < "$tarball" > "$tarball".meta4
@item $release @tab $release_date @tab $size KiB @tab
@url{download/$tarball.meta4, meta4}
@url{download/$tarball, tar}
- @url{download/$tarball.asc, sig}
+ @url{download/$tarball.asc, pgp}
+ @url{download/$tarball.asc, ssh}
EOF
-mv $tmp/$tarball $tmp/"$tarball".asc $tarball.meta4 $cur/doc/tofuproxy.html/download
+mv $tmp/$tarball $tmp/"$tarball".asc $tmp/"$tarball".sig $tarball.meta4 $cur/doc/tofuproxy.html/download