From: Sergey Matveev <stargrave@stargrave.org>
Date: Tue, 8 Aug 2023 14:40:25 +0000 (+0300)
Subject: OpenSSH signature support
X-Git-Tag: v4.2.0~6
X-Git-Url: http://www.git.cypherpunks.ru/?p=gocheese.git;a=commitdiff_plain;h=b08f36e94049a7ec37d36a7fd14b8bc30017525f

OpenSSH signature support
---

diff --git a/PUBKEY.asc b/PUBKEY-PGP.asc
similarity index 100%
rename from PUBKEY.asc
rename to PUBKEY-PGP.asc
diff --git a/PUBKEY-SSH.pub b/PUBKEY-SSH.pub
new file mode 100644
index 0000000..479f13c
--- /dev/null
+++ b/PUBKEY-SSH.pub
@@ -0,0 +1 @@
+gocheese@cypherpunks.ru ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5FDzUDCGliwAWBHKB1eOEhPcRkoXNc7s9cXYz0F2Xz
diff --git a/PUBKEY-SSH.pub.asc b/PUBKEY-SSH.pub.asc
new file mode 100644
index 0000000..589c9e9
--- /dev/null
+++ b/PUBKEY-SSH.pub.asc
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQFMBAABCgA2FiEEmydkC6eEN+xtSspszVzQH1U0PYgFAmTSPHYYHGdvY2hlZXNl
+QGN5cGhlcnB1bmtzLnJ1AAoJEM1c0B9VND2IUp4H/iQVsPkMssw2CHCwg974gNMr
+VlYn7oNakbLeP3/MouSS/x6xtA0bKs+ojEIwslJF0wESyQq4Tm474iWW9VX83qR9
+0B8tcwGL4+HKfew88piHcHYfJfpOP2JIpa0qL5TCD04k+rDXPozKJqkQN/CRdkMp
+BGIfiKt2qSkDH8Oyb+M+dwLwnv0uwJhUMyUnRBT3mzrI7hNgXHYnuVaPUt5yjku6
+Le143x3kwnzjQwNDRynbLJ+22U68LMPUcGgy8uDCs4Y8vslTrq5DDCa3fGtmz8go
+xRvVyR1gy5owAsZQ+RVvvCX9RrMQYD2frGPGTew1+7OEX3arasYOC0wz+eKO+2Q=
+=voiu
+-----END PGP SIGNATURE-----
diff --git a/doc/download.texi b/doc/download.texi
index 308cd8a..124388c 100644
--- a/doc/download.texi
+++ b/doc/download.texi
@@ -1,89 +1,106 @@
-@multitable {XXXXX} {XXXX-XX-XX} {XXXX KiB} {meta4 tar sig}
+@multitable {XXXXX} {XXXX-XX-XX} {XXXX KiB} {meta4 tar pgp ssh}
 @headitem Version @tab Date @tab Size @tab Tarball
 
 @item 4.1.0 @tab 2023-06-04 @tab 65 KiB @tab
 @url{download/gocheese-4.1.0.tar.zst.meta4, meta4}
 @url{download/gocheese-4.1.0.tar.zst, tar}
-@url{download/gocheese-4.1.0.tar.zst.asc, sig}
+@url{download/gocheese-4.1.0.tar.zst.asc, pgp}
+@url{download/gocheese-4.1.0.tar.zst.sig, ssh}
 
 @item 4.0.0 @tab 2023-06-03 @tab 65 KiB @tab
 @url{download/gocheese-4.0.0.tar.zst.meta4, meta4}
 @url{download/gocheese-4.0.0.tar.zst, tar}
-@url{download/gocheese-4.0.0.tar.zst.asc, sig}
+@url{download/gocheese-4.0.0.tar.zst.asc, pgp}
+@url{download/gocheese-4.0.0.tar.zst.sig, ssh}
 
 @item 3.7.1 @tab 2023-03-23 @tab 65 KiB @tab
 @url{download/gocheese-3.7.1.tar.zst.meta4, meta4}
 @url{download/gocheese-3.7.1.tar.zst, tar}
-@url{download/gocheese-3.7.1.tar.zst.asc, sig}
+@url{download/gocheese-3.7.1.tar.zst.asc, pgp}
+@url{download/gocheese-3.7.1.tar.zst.sig, ssh}
 
 @item 3.7.0 @tab 2022-11-28 @tab 68 KiB @tab
 @url{download/gocheese-3.7.0.tar.zst.meta4, meta4}
 @url{download/gocheese-3.7.0.tar.zst, tar}
-@url{download/gocheese-3.7.0.tar.zst.asc, sig}
+@url{download/gocheese-3.7.0.tar.zst.asc, pgp}
+@url{download/gocheese-3.7.0.tar.zst.sig, ssh}
 
 @item 3.6.0 @tab 2022-11-03 @tab 68 KiB @tab
 @url{download/gocheese-3.6.0.tar.zst.meta4, meta4}
 @url{download/gocheese-3.6.0.tar.zst, tar}
-@url{download/gocheese-3.6.0.tar.zst.asc, sig}
+@url{download/gocheese-3.6.0.tar.zst.asc, pgp}
+@url{download/gocheese-3.6.0.tar.zst.sig, ssh}
 
 @item 3.5.0 @tab 2022-02-09 @tab 68 KiB @tab
 @url{download/gocheese-3.5.0.tar.zst.meta4, meta4}
 @url{download/gocheese-3.5.0.tar.zst, tar}
-@url{download/gocheese-3.5.0.tar.zst.asc, sig}
+@url{download/gocheese-3.5.0.tar.zst.asc, pgp}
+@url{download/gocheese-3.5.0.tar.zst.sig, ssh}
 
 @item 3.4.0 @tab 2021-11-26 @tab 68 KiB @tab
 @url{download/gocheese-3.4.0.tar.zst.meta4, meta4}
 @url{download/gocheese-3.4.0.tar.zst, tar}
-@url{download/gocheese-3.4.0.tar.zst.asc, sig}
+@url{download/gocheese-3.4.0.tar.zst.asc, pgp}
+@url{download/gocheese-3.4.0.tar.zst.sig, ssh}
 
 @item 3.3.0 @tab 2021-09-28 @tab 68 KiB @tab
 @url{download/gocheese-3.3.0.tar.zst.meta4, meta4}
 @url{download/gocheese-3.3.0.tar.zst, tar}
-@url{download/gocheese-3.3.0.tar.zst.asc, sig}
+@url{download/gocheese-3.3.0.tar.zst.asc, pgp}
+@url{download/gocheese-3.3.0.tar.zst.sig, ssh}
 
 @item 3.2.0 @tab 2021-09-27 @tab 68 KiB @tab
 @url{download/gocheese-3.2.0.tar.zst.meta4, meta4}
 @url{download/gocheese-3.2.0.tar.zst, tar}
-@url{download/gocheese-3.2.0.tar.zst.asc, sig}
+@url{download/gocheese-3.2.0.tar.zst.asc, pgp}
+@url{download/gocheese-3.2.0.tar.zst.sig, ssh}
 
 @item 3.1.0 @tab 2021-09-27 @tab 68 KiB @tab
 @url{download/gocheese-3.1.0.tar.zst.meta4, meta4}
 @url{download/gocheese-3.1.0.tar.zst, tar}
-@url{download/gocheese-3.1.0.tar.zst.asc, sig}
+@url{download/gocheese-3.1.0.tar.zst.asc, pgp}
+@url{download/gocheese-3.1.0.tar.zst.sig, ssh}
 
 @item 3.0.0 @tab 2021-09-26 @tab 68 KiB @tab
 @url{download/gocheese-3.0.0.tar.zst.meta4, meta4}
 @url{download/gocheese-3.0.0.tar.zst, tar}
-@url{download/gocheese-3.0.0.tar.zst.asc, sig}
+@url{download/gocheese-3.0.0.tar.zst.asc, pgp}
+@url{download/gocheese-3.0.0.tar.zst.sig, ssh}
 
 @item 2.6.0 @tab 2021-01-22 @tab 58 KiB @tab
 @url{download/gocheese-2.6.0.tar.zst.meta4, meta4}
 @url{download/gocheese-2.6.0.tar.zst, tar}
-@url{download/gocheese-2.6.0.tar.zst.asc, sig}
+@url{download/gocheese-2.6.0.tar.zst.asc, pgp}
+@url{download/gocheese-2.6.0.tar.zst.sig, ssh}
 
 @item 2.5.0 @tab 2020-11-07 @tab 110 KiB @tab
 @url{download/gocheese-2.5.0.tar.xz.meta4, meta4}
 @url{download/gocheese-2.5.0.tar.xz, tar}
-@url{download/gocheese-2.5.0.tar.xz.asc, sig}
+@url{download/gocheese-2.5.0.tar.xz.asc, pgp}
+@url{download/gocheese-2.5.0.tar.xz.sig, ssh}
 
 @item 2.4.1 @tab 2020-09-05 @tab 105 KiB @tab
 @url{download/gocheese-2.4.1.tar.xz.meta4, meta4}
 @url{download/gocheese-2.4.1.tar.xz, tar}
-@url{download/gocheese-2.4.1.tar.xz.asc, sig}
+@url{download/gocheese-2.4.1.tar.xz.asc, pgp}
+@url{download/gocheese-2.4.1.tar.xz.sig, ssh}
 
 @item 2.4.0 @tab 2020-07-24 @tab 101 KiB @tab
 @url{download/gocheese-2.4.0.tar.xz.meta4, meta4}
 @url{download/gocheese-2.4.0.tar.xz, tar}
-@url{download/gocheese-2.4.0.tar.xz.asc, sig}
+@url{download/gocheese-2.4.0.tar.xz.asc, pgp}
+@url{download/gocheese-2.4.0.tar.xz.sig, ssh}
 
 @item 2.3.0 @tab 2019-12-17 @tab 101 KiB @tab
 @url{download/gocheese-2.3.0.tar.xz.meta4, meta4}
 @url{download/gocheese-2.3.0.tar.xz, tar}
-@url{download/gocheese-2.3.0.tar.xz.asc, sig}
+@url{download/gocheese-2.3.0.tar.xz.asc, pgp}
+@url{download/gocheese-2.3.0.tar.xz.sig, ssh}
 
 @item 2.2.0 @tab 2019-12-09 @tab 100 KiB @tab
 @url{download/gocheese-2.2.0.tar.xz.meta4, meta4}
 @url{download/gocheese-2.2.0.tar.xz, tar}
-@url{download/gocheese-2.2.0.tar.xz.asc, sig}
+@url{download/gocheese-2.2.0.tar.xz.asc, pgp}
+@url{download/gocheese-2.2.0.tar.xz.sig, ssh}
 
 @end multitable
diff --git a/doc/install.texi b/doc/install.texi
index fe92e29..7e0c644 100644
--- a/doc/install.texi
+++ b/doc/install.texi
@@ -11,42 +11,15 @@ website and, for example, run tests with benchmarks:
 
 @example
 $ [fetch|wget] http://www.gocheese.cypherpunks.ru/download/gocheese-@value{VERSION}.tar.zst
-$ [fetch|wget] http://www.gocheese.cypherpunks.ru/download/gocheese-@value{VERSION}.tar.zst.asc
-$ gpg --verify gocheese-@value{VERSION}.tar.zst.asc gocheese-@value{VERSION}.tar.zst
+$ [fetch|wget] http://www.gocheese.cypherpunks.ru/download/gocheese-@value{VERSION}.tar.zst.@{asc,sig@}
+[verify signature]
 $ zstd -d < gocheese-@value{VERSION}.tar.zst | tar xf -
 $ cd gocheese-@value{VERSION}
 $ go build -mod=vendor
 @end example
 
 @include download.texi
-
-You @strong{have to} verify downloaded tarballs integrity and
-authenticity to be sure that you retrieved trusted and untampered
-software. @url{https://www.gnupg.org/, GNU Privacy Guard} is used
-for that purpose.
-
-For the very first time it is necessary to get signing public key and
-import it. It is provided below, but you should check alternative
-resources.
-
-@verbatim
-pub   rsa2048/0xCD5CD01F55343D88 2019-12-08 [SC]
-      9B27 640B A784 37EC 6D4A  CA6C CD5C D01F 5534 3D88
-uid   GoCheese releases <gocheese@cypherpunks.ru>
-@end verbatim
-
-@itemize
-
-@item
-@example
-$ gpg --auto-key-locate dane --locate-keys gocheese at cypherpunks dot ru
-$ gpg --auto-key-locate  wkd --locate-keys gocheese at cypherpunks dot ru
-@end example
-
-@item
-@verbatiminclude ../PUBKEY.asc
-
-@end itemize
+@include integrity.texi
 
 You can obtain development source code with
 @command{git clone git://git.cypherpunks.ru/gocheese.git}
diff --git a/doc/integrity.texi b/doc/integrity.texi
new file mode 100644
index 0000000..83cccb1
--- /dev/null
+++ b/doc/integrity.texi
@@ -0,0 +1,34 @@
+You @strong{have to} verify downloaded tarballs authenticity to be sure
+that you retrieved trusted and untampered software. There are two options:
+
+@table @asis
+
+@item @url{https://www.openpgp.org/, OpenPGP} @file{.asc} signature
+    Use @url{https://www.gnupg.org/, GNU Privacy Guard} free software
+    implementation.
+    For the very first time it is necessary to get signing public key and
+    import it. It is provided @url{PUBKEY-PGP.asc, here}, but you should
+    check alternate resources.
+
+@verbatim
+pub   rsa2048/0xCD5CD01F55343D88 2019-12-08
+      9B27 640B A784 37EC 6D4A  CA6C CD5C D01F 5534 3D88
+uid   GoCheese releases <gocheese@cypherpunks.ru>
+@end verbatim
+
+@example
+$ gpg --auto-key-locate dane --locate-keys gocheese at cypherpunks dot ru
+$ gpg --auto-key-locate  wkd --locate-keys gocheese at cypherpunks dot ru
+@end example
+
+@item @url{https://www.openssh.com/, OpenSSH} @file{.sig} signature
+    @url{PUBKEY-SSH.pub, Public key} and its OpenPGP
+    @url{PUBKEY-SSH.pub.asc, signature} made with the key above.
+    Its fingerprint: @code{SHA256:Akj/MCtxCjPphrgWub2BeChqHDhLMABTYLL/MzqTN+s}.
+
+@example
+$ ssh-keygen -Y verify -f PUBKEY-SSH.pub -I gocheese@@cypherpunks.ru -n file \
+    -s gocheese-@value{VERSION}.tar.zst.sig < gocheese-@value{VERSION}.tar.zst
+@end example
+
+@end table
diff --git a/doc/www.do b/doc/www.do
index ca87b9a..f669379 100644
--- a/doc/www.do
+++ b/doc/www.do
@@ -10,6 +10,7 @@ ${MAKEINFO:=makeinfo} --html \
     --set-customization-variable DATE_IN_HEADER=1 \
     --set-customization-variable ASCII_PUNCTUATION=1 \
     --output $html index.texi
+cp ../PUBKEY-* $html/
 (
     cd $html/download
     export ATOM_ID="f9e3d8b1-9da7-4ec0-adf9-82aef5bfcc29"
diff --git a/makedist b/makedist
index 641098e..834bcf0 100755
--- a/makedist
+++ b/makedist
@@ -36,7 +36,6 @@ cat > $texi <<EOF
 @include install.texi
 @bye
 EOF
-perl -i -p -e "s/.verbatiminclude ...PUBKEY.asc/Look in PUBKEY.asc file./" install.texi
 mkinfo --output ../INSTALL $texi
 rm $texi
 cd ..
@@ -52,13 +51,14 @@ cd ..
 tar cvf gocheese-"$release".tar --uid=0 --gid=0 --numeric-owner gocheese-"$release"
 zstd -19 -v gocheese-"$release".tar
 tarball=gocheese-"$release".tar.zst
+ssh-keygen -Y sign -f ~/.ssh/sign/gocheese@cypherpunks.ru -n file $tarball
 gpg --armor --detach-sign --sign --local-user CD5CD01F55343D88 $tarball
-meta4-create -fn "$tarball" -mtime "$tarball" -sig "$tarball".asc \
+meta4-create -fn "$tarball" -mtime "$tarball" \
+    -sig-pgp "$tarball".asc -sig-ssh "$tarball".sig \
     http://www.gocheese.cypherpunks.ru/download/"$tarball" \
     http://y.www.gocheese.cypherpunks.ru/download/"$tarball" < "$tarball" > "$tarball".meta4
 
 size=$(( $(stat -f %z $tarball) / 1024 ))
-hash=$(gpg --print-md SHA256 < $tarball)
 release_date=$(date "+%Y-%m-%d")
 
 cat <<EOF
@@ -66,7 +66,8 @@ An entry for documentation:
 @item $release @tab $release_date @tab $size KiB @tab
 @url{download/gocheese-${release}.tar.zst.meta4, meta4}
 @url{download/gocheese-${release}.tar.zst, tar}
-@url{download/gocheese-${release}.tar.zst.asc, sig}
+@url{download/gocheese-${release}.tar.zst.asc, pgp}
+@url{download/gocheese-${release}.tar.zst.sig, ssh}
 EOF
 
-mv $tmp/$tarball $tmp/"$tarball".asc $tmp/"$tarball".meta4 $cur/doc/gocheese.html/download
+mv $tmp/$tarball $tmp/"$tarball".asc $tmp/"$tarball".sig $tmp/"$tarball".meta4 $cur/doc/gocheese.html/download