From: Sergey Matveev <stargrave@stargrave.org>
Date: Fri, 11 Aug 2023 09:21:26 +0000 (+0300)
Subject: OpenSSH signature support
X-Git-Tag: v0.2.0~1
X-Git-Url: http://www.git.stargrave.org/?p=tofuproxy.git;a=commitdiff_plain;h=a2c89a54a6b1769e2910020277b9dc4127151fdc

OpenSSH signature support
---

diff --git a/PUBKEY-PGP.asc b/PUBKEY-PGP.asc
new file mode 100644
index 0000000..0375a04
--- /dev/null
+++ b/PUBKEY-PGP.asc
@@ -0,0 +1,12 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEZNX0PxYJKwYBBAHaRw8BAQdAjqIcK22xCUdd+5yNnsir/dQTuNkNY/pSvWs4
+0ioQeXe0LXRvZnVwcm94eSByZWxlYXNlcyA8dG9mdXByb3h5QGN5cGhlcnB1bmtz
+LnJ1PoiOBBMWCgA2AhsDBAsJCgcCIgICFQoEFgIBAAIeBwIXgBYhBELHuGpKfcRL
+g3xDQ4HL+wBxR4UWBQJk1fSTAAoJEIHL+wBxR4UWsAwA/jzeKUvXSTiG+6UDB8R/
+lfue4FKQJq+ngFAcfn+SSao8AQClRp4saZntAY1pQ4vvmCblpJDbd+VYIDdesOHe
+K+3YDYh1BBAWCgAdFiEEEq0yaJxmDUJpZ/11y4IFYyEHrYoFAmTV9P8ACgkQy4IF
+YyEHrYpP8AEA7B/jnpfvmV3pFSGSMLZqPUo2CCrLPzdMOJJEvq1FCIcA/18cnROY
+SgUDbIvSWzPeyJR53Swpd7dsEcAZssJCxHsE
+=4gmV
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/PUBKEY-SSH.pub b/PUBKEY-SSH.pub
new file mode 100644
index 0000000..230952c
--- /dev/null
+++ b/PUBKEY-SSH.pub
@@ -0,0 +1 @@
+tofuproxy@cypherpunks.ru ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoLFahYbMEPEjbknT4EMbBvWLK3OOfTvm+qOITY/Dxk
diff --git a/PUBKEY-SSH.pub.asc b/PUBKEY-SSH.pub.asc
new file mode 100644
index 0000000..15bacf3
--- /dev/null
+++ b/PUBKEY-SSH.pub.asc
@@ -0,0 +1,8 @@
+-----BEGIN PGP SIGNATURE-----
+
+iI8EABYKADcWIQRCx7hqSn3ES4N8Q0OBy/sAcUeFFgUCZNX7MxkcdG9mdXByb3h5
+QGN5cGhlcnB1bmtzLnJ1AAoJEIHL+wBxR4UWm9cBAL7vim1KF1tcJb/d7MVAoovP
+QyUbcDSqbebws5hLK9gsAPoC5vhtaVW1H/O8DzcBHtt1Ix9HkQGrBezE+DSSQ/EE
+BQ==
+=f3Zr
+-----END PGP SIGNATURE-----
diff --git a/doc/download.texi b/doc/download.texi
index 32817d3..77809b5 100644
--- a/doc/download.texi
+++ b/doc/download.texi
@@ -1,9 +1,10 @@
-@multitable {XXXXX} {XXXX-XX-XX} {XXXX KiB} {meta4 tar sig}
+@multitable {XXXXX} {XXXX-XX-XX} {XXXX KiB} {meta4 tar pgp ssh}
 @headitem Version @tab Date @tab Size @tab Tarball
 
 @item 0.1.0 @tab 2023-03-20 @tab 672 KiB @tab
 @url{download/tofuproxy-0.1.0.tar.zst.meta4, meta4}
 @url{download/tofuproxy-0.1.0.tar.zst, tar}
-@url{download/tofuproxy-0.1.0.tar.zst.asc, asc}
+@url{download/tofuproxy-0.1.0.tar.zst.asc, pgp}
+@url{download/tofuproxy-0.1.0.tar.zst.sig, ssh}
 
 @end multitable
diff --git a/doc/install.texi b/doc/install.texi
index eee066f..9d7dff7 100644
--- a/doc/install.texi
+++ b/doc/install.texi
@@ -8,19 +8,15 @@ WARCs support.
 
 @example
 $ [fetch|wget] http://www.tofuproxy.stargrave.org/download/tofuproxy-@value{VERSION}.tar.zst
-$ [fetch|wget] http://www.tofuproxy.stargrave.org/download/tofuproxy-@value{VERSION}.tar.zst.asc
-$ gpg --verify tofuproxy-@value{VERSION}.tar.zst.asc tofuproxy-@value{VERSION}.tar.zst
+$ [fetch|wget] http://www.tofuproxy.stargrave.org/download/tofuproxy-@value{VERSION}.tar.zst.@{asc,sig@}
+[verify signature]
 $ zstd -d < tofuproxy-@value{VERSION}.tar.zst | tar xf -
 $ cd tofuproxy-@value{VERSION}
 $ ./build
 @end example
 
 @include download.texi
-
-You @strong{have to} verify downloaded tarballs integrity and
-authenticity to be sure that you retrieved trusted and untampered
-software. @url{https://www.gnupg.org/, GNU Privacy Guard} is used
-for that purpose.
+@include integrity.texi
 
 Also there is @url{https://yggdrasil-network.github.io/, Yggdrasil}
 accessible address: @url{http://y.www.tofuproxy.stargrave.org}.
diff --git a/doc/integrity.texi b/doc/integrity.texi
new file mode 100644
index 0000000..2420afb
--- /dev/null
+++ b/doc/integrity.texi
@@ -0,0 +1,34 @@
+You @strong{have to} verify downloaded tarballs authenticity to be sure
+that you retrieved trusted and untampered software. There are two options:
+
+@table @asis
+
+@item @url{https://www.openpgp.org/, OpenPGP} @file{.asc} signature
+    Use @url{https://www.gnupg.org/, GNU Privacy Guard} free software
+    implementation.
+    For the very first time it is necessary to get signing public key and
+    import it. It is provided @url{PUBKEY-PGP.asc, here}, but you should
+    check alternate resources.
+
+@verbatim
+pub   ed25519/0x81CBFB0071478516 2023-08-11
+      42C7 B86A 4A7D C44B 837C  4343 81CB FB00 7147 8516
+uid   tofuproxy releases <tofuproxy@cypherpunks.ru>
+@end verbatim
+
+@example
+$ gpg --auto-key-locate dane --locate-keys tofuproxy at cypherpunks dot ru
+$ gpg --auto-key-locate  wkd --locate-keys tofuproxy at cypherpunks dot ru
+@end example
+
+@item @url{https://www.openssh.com/, OpenSSH} @file{.sig} signature
+    @url{PUBKEY-SSH.pub, Public key} and its OpenPGP
+    @url{PUBKEY-SSH.pub.asc, signature} made with the key above.
+    Its fingerprint: @code{SHA256:TFmIjNNqfRmyz7gq/ajvsmz6CAvs1FEAvgDZk3zNDy8}.
+
+@example
+$ ssh-keygen -Y verify -f PUBKEY-SSH.pub -I tofuproxy@@cypherpunks.ru -n file \
+    -s tofuproxy-@value{VERSION}.tar.zst.sig < tofuproxy-@value{VERSION}.tar.zst
+@end example
+
+@end table
diff --git a/doc/www.do b/doc/www.do
index 7cca9b8..0a8de34 100644
--- a/doc/www.do
+++ b/doc/www.do
@@ -10,6 +10,6 @@ ${MAKEINFO:=makeinfo} --html \
     --set-customization-variable DATE_IN_HEADER=1 \
     --set-customization-variable ASCII_PUNCTUATION=1 \
     --output $html index.texi
-cp -a *.webp $html/
+cp -a *.webp ../PUBKEY-* $html/
 find $html -type d -exec chmod 755 {} +
 find $html -type f -exec chmod 644 {} +
diff --git a/makedist b/makedist
index dc247da..6430add 100755
--- a/makedist
+++ b/makedist
@@ -57,8 +57,10 @@ cd ..
 tar cvf tofuproxy-"$release".tar --uid=0 --gid=0 --numeric-owner tofuproxy-"$release"
 zstd -19 -v tofuproxy-"$release".tar
 tarball=tofuproxy-"$release".tar.zst
-gpg --armor --detach-sign --sign --local-user 12AD32689C660D426967FD75CB8205632107AD8A "$tarball"
-meta4-create -fn "$tarball" -mtime "$tarball" -sig "$tarball".asc \
+ssh-keygen -Y sign -f ~/.ssh/sign/tofuproxy@cypherpunks.ru -n file $tarball
+gpg --armor --detach-sign --sign --local-user 42C7B86A4A7DC44B837C434381CBFB0071478516 "$tarball"
+meta4-create -fn "$tarball" -mtime "$tarball" \
+    -sig-pgp "$tarball".asc -sig-ssh "$tarball".sig \
     http://www.tofuproxy.stargrave.org/download/"$tarball" \
     http://y.www.tofuproxy.stargrave.org/download/"$tarball" < "$tarball" > "$tarball".meta4
 
@@ -71,7 +73,8 @@ An entry for documentation:
 @item $release @tab $release_date @tab $size KiB @tab
     @url{download/$tarball.meta4, meta4}
     @url{download/$tarball, tar}
-    @url{download/$tarball.asc, sig}
+    @url{download/$tarball.asc, pgp}
+    @url{download/$tarball.asc, ssh}
 EOF
 
-mv $tmp/$tarball $tmp/"$tarball".asc $tarball.meta4 $cur/doc/tofuproxy.html/download
+mv $tmp/$tarball $tmp/"$tarball".asc $tmp/"$tarball".sig $tarball.meta4 $cur/doc/tofuproxy.html/download