From: Sergey Matveev Date: Tue, 8 Aug 2023 19:02:57 +0000 (+0300) Subject: OpenSSH signature support X-Git-Tag: v5.14.0~5 X-Git-Url: http://www.git.cypherpunks.ru/?p=gogost.git;a=commitdiff_plain;h=bdd673f985d78301d8d03b94ac603722348ec4f2 OpenSSH signature support --- diff --git a/PUBKEY.asc b/PUBKEY-PGP.asc similarity index 100% rename from PUBKEY.asc rename to PUBKEY-PGP.asc diff --git a/PUBKEY-SSH.pub b/PUBKEY-SSH.pub new file mode 100644 index 0000000..fe080cf --- /dev/null +++ b/PUBKEY-SSH.pub @@ -0,0 +1 @@ +gogost@cypherpunks.ru ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvG43AG+jjkitddNu0Di9pyIN7bWIRymqO8AK3tiMY7 diff --git a/PUBKEY-SSH.pub.asc b/PUBKEY-SSH.pub.asc new file mode 100644 index 0000000..3a4ea34 --- /dev/null +++ b/PUBKEY-SSH.pub.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQFKBAABCgA0FiEEzr0SgixGnAKoGgRngjQ0NmlvyFoFAmTSj5IWHGdvZ29zdEBj +eXBoZXJwdW5rcy5ydQAKCRCCNDQ2aW/IWtSMB/9+91d9bPK5Psgivhggx/1AsBGc +Qilq5mKl5jba2gJkaQoajFSIGzfw2MJHmYXrLZQGFK/SGY59tJw5ZPL53ZhcQQbU +KnKCZyYzpx/3BCDhML3PmGSNKJzasUUX62h6qbrfaVvhqrAuR9v2BkoplvyLFEim ++avdBVjuUDZAzFP5Koveam082m5mXyM7QYvUTadgd4gvrj7YWoa/OiEOXXPHgo5X +cHWNj8euy985qYX/OhSHsfjQzaCahIbGEWzY7fe9YeolWzbwu3MlQzxbufLlnxoI +ccdprhsGwjy3D2BxhufwMC/p7eqfwoqcij9LhKxjPrKTMcPQXs/tjzvz/1yR +=YfJu +-----END PGP SIGNATURE----- diff --git a/download.texi b/download.texi index 657a128..c9599cf 100644 --- a/download.texi +++ b/download.texi @@ -1,164 +1,196 @@ -@multitable {XXXXX} {XXXX-XX-XX} {XXXX KiB} {meta4 tar sig} +@multitable {XXXXX} {XXXX-XX-XX} {XXXX KiB} {meta4 tar pgp ssh} @headitem Version @tab Date @tab Size @tab Tarball @item @ref{Release 5.13.0, 5.13.0} @tab 2023-08-07 @tab 65 KiB @tab @url{gogost-5.13.0.tar.zst.meta4, meta4} @url{gogost-5.13.0.tar.zst, tar} -@url{gogost-5.13.0.tar.zst.asc, sig} +@url{gogost-5.13.0.tar.zst.asc, pgp} +@url{gogost-5.13.0.tar.zst.sig, ssh} @item @ref{Release 5.12.0, 5.12.0} @tab 2023-08-03 @tab 65 KiB @tab @url{gogost-5.12.0.tar.zst.meta4, meta4} @url{gogost-5.12.0.tar.zst, tar} -@url{gogost-5.12.0.tar.zst.asc, sig} +@url{gogost-5.12.0.tar.zst.asc, pgp} +@url{gogost-5.12.0.tar.zst.sig, ssh} @item @ref{Release 5.11.0, 5.11.0} @tab 2023-06-14 @tab 70 KiB @tab @url{gogost-5.11.0.tar.zst.meta4, meta4} @url{gogost-5.11.0.tar.zst, tar} -@url{gogost-5.11.0.tar.zst.asc, sig} +@url{gogost-5.11.0.tar.zst.asc, pgp} +@url{gogost-5.11.0.tar.zst.sig, ssh} @item @ref{Release 5.10.0, 5.10.0} @tab 2023-04-05 @tab 70 KiB @tab @url{gogost-5.10.0.tar.zst.meta4, meta4} @url{gogost-5.10.0.tar.zst, tar} -@url{gogost-5.10.0.tar.zst.asc, sig} +@url{gogost-5.10.0.tar.zst.asc, pgp} +@url{gogost-5.10.0.tar.zst.sig, ssh} @item @ref{Release 5.9.1, 5.9.1} @tab 2022-11-02 @tab 67 KiB @tab @url{gogost-5.9.1.tar.zst.meta4, meta4} @url{gogost-5.9.1.tar.zst, tar} -@url{gogost-5.9.1.tar.zst.asc, sig} +@url{gogost-5.9.1.tar.zst.asc, pgp} +@url{gogost-5.9.1.tar.zst.sig, ssh} @item @ref{Release 5.9.0, 5.9.0} @tab 2021-11-16 @tab 67 KiB @tab @url{gogost-5.9.0.tar.zst.meta4, meta4} @url{gogost-5.9.0.tar.zst, tar} -@url{gogost-5.9.0.tar.zst.asc, sig} +@url{gogost-5.9.0.tar.zst.asc, pgp} +@url{gogost-5.9.0.tar.zst.sig, ssh} @item @ref{Release 5.8.0, 5.8.0} @tab 2021-10-08 @tab 67 KiB @tab @url{gogost-5.8.0.tar.zst.meta4, meta4} @url{gogost-5.8.0.tar.zst, tar} -@url{gogost-5.8.0.tar.zst.asc, sig} +@url{gogost-5.8.0.tar.zst.asc, pgp} +@url{gogost-5.8.0.tar.zst.sig, ssh} @item 5.7.1 @tab 2021-10-04 @tab 66 KiB @tab @url{gogost-5.7.1.tar.zst.meta4, meta4} @url{gogost-5.7.1.tar.zst, tar} -@url{gogost-5.7.1.tar.zst.asc, sig} +@url{gogost-5.7.1.tar.zst.asc, pgp} +@url{gogost-5.7.1.tar.zst.sig, ssh} @item @ref{Release 5.7.0, 5.7.0} @tab 2021-08-17 @tab 61 KiB @tab @url{gogost-5.7.0.tar.xz.meta4, meta4} @url{gogost-5.7.0.tar.xz, tar} -@url{gogost-5.7.0.tar.xz.asc, sig} +@url{gogost-5.7.0.tar.xz.asc, pgp} +@url{gogost-5.7.0.tar.xz.sig, ssh} @item @ref{Release 5.6.0, 5.6.0} @tab 2021-04-02 @tab 61 KiB @tab @url{gogost-5.6.0.tar.xz.meta4, meta4} @url{gogost-5.6.0.tar.xz, tar} -@url{gogost-5.6.0.tar.xz.asc, sig} +@url{gogost-5.6.0.tar.xz.asc, pgp} +@url{gogost-5.6.0.tar.xz.sig, ssh} @item @ref{Release 5.5.0, 5.5.0} @tab 2021-01-25 @tab 61 KiB @tab @url{gogost-5.5.0.tar.xz.meta4, meta4} @url{gogost-5.5.0.tar.xz, tar} -@url{gogost-5.5.0.tar.xz.asc, sig} +@url{gogost-5.5.0.tar.xz.asc, pgp} +@url{gogost-5.5.0.tar.xz.sig, ssh} @item @ref{Release 5.4.0, 5.4.0} @tab 2021-01-24 @tab 60 KiB @tab @url{gogost-5.4.0.tar.xz.meta4, meta4} @url{gogost-5.4.0.tar.xz, tar} -@url{gogost-5.4.0.tar.xz.asc, sig} +@url{gogost-5.4.0.tar.xz.asc, pgp} +@url{gogost-5.4.0.tar.xz.sig, ssh} @item @ref{Release 5.3.0, 5.3.0} @tab 2021-01-21 @tab 61 KiB @tab @url{gogost-5.3.0.tar.xz.meta4, meta4} @url{gogost-5.3.0.tar.xz, tar} -@url{gogost-5.3.0.tar.xz.asc, sig} +@url{gogost-5.3.0.tar.xz.asc, pgp} +@url{gogost-5.3.0.tar.xz.sig, ssh} @item @ref{Release 5.2.0, 5.2.0} @tab 2021-01-21 @tab 60 KiB @tab @url{gogost-5.2.0.tar.xz.meta4, meta4} @url{gogost-5.2.0.tar.xz, tar} -@url{gogost-5.2.0.tar.xz.asc, sig} +@url{gogost-5.2.0.tar.xz.asc, pgp} +@url{gogost-5.2.0.tar.xz.sig, ssh} @item @ref{Release 5.1.1, 5.1.1} @tab 2021-01-16 @tab 60 KiB @tab @url{gogost-5.1.1.tar.xz.meta4, meta4} @url{gogost-5.1.1.tar.xz, tar} -@url{gogost-5.1.1.tar.xz.asc, sig} +@url{gogost-5.1.1.tar.xz.asc, pgp} +@url{gogost-5.1.1.tar.xz.sig, ssh} @item @ref{Release 5.1.0, 5.1.0} @tab 2020-10-07 @tab 63 KiB @tab @url{gogost-5.1.0.tar.xz.meta4, meta4} @url{gogost-5.1.0.tar.xz, tar} -@url{gogost-5.1.0.tar.xz.asc, sig} +@url{gogost-5.1.0.tar.xz.asc, pgp} +@url{gogost-5.1.0.tar.xz.sig, ssh} @item 5.0.2 @tab 2020-09-05 @tab 62 KiB @tab @url{gogost-5.0.2.tar.xz.meta4, meta4} @url{gogost-5.0.2.tar.xz, tar} -@url{gogost-5.0.2.tar.xz.asc, sig} +@url{gogost-5.0.2.tar.xz.asc, pgp} +@url{gogost-5.0.2.tar.xz.sig, ssh} @item 5.0.1 @tab 2020-09-05 @tab 62 KiB @tab @url{gogost-5.0.1.tar.xz.meta4, meta4} @url{gogost-5.0.1.tar.xz, tar} -@url{gogost-5.0.1.tar.xz.asc, sig} +@url{gogost-5.0.1.tar.xz.asc, pgp} +@url{gogost-5.0.1.tar.xz.sig, ssh} @item @ref{Release 5.0.0, 5.0.0} @tab 2020-09-04 @tab 62 KiB @tab @url{gogost-5.0.0.tar.xz.meta4, meta4} @url{gogost-5.0.0.tar.xz, tar} -@url{gogost-5.0.0.tar.xz.asc, sig} +@url{gogost-5.0.0.tar.xz.asc, pgp} +@url{gogost-5.0.0.tar.xz.sig, ssh} @item 4.3.1 @tab 2020-09-01 @tab 63 KiB @tab @url{gogost-4.3.1.tar.xz.meta4, meta4} @url{gogost-4.3.1.tar.xz, tar} -@url{gogost-4.3.1.tar.xz.asc, sig} +@url{gogost-4.3.1.tar.xz.asc, pgp} +@url{gogost-4.3.1.tar.xz.sig, ssh} @item @ref{Release 4.3.0, 4.3.0} @tab 2020-08-02 @tab 58 KiB @tab @url{gogost-4.3.0.tar.xz.meta4, meta4} @url{gogost-4.3.0.tar.xz, tar} -@url{gogost-4.3.0.tar.xz.asc, sig} +@url{gogost-4.3.0.tar.xz.asc, pgp} +@url{gogost-4.3.0.tar.xz.sig, ssh} @item @ref{Release 4.2.4, 4.2.4} @tab 2020-06-24 @tab 58 KiB @tab @url{gogost-4.2.4.tar.xz.meta4, meta4} @url{gogost-4.2.4.tar.xz, tar} -@url{gogost-4.2.4.tar.xz.asc, sig} +@url{gogost-4.2.4.tar.xz.asc, pgp} +@url{gogost-4.2.4.tar.xz.sig, ssh} @item @ref{Release 4.2.3, 4.2.3} @tab 2020-01-22 @tab 58 KiB @tab @url{gogost-4.2.3.tar.xz.meta4, meta4} @url{gogost-4.2.3.tar.xz, tar} -@url{gogost-4.2.3.tar.xz.asc, sig} +@url{gogost-4.2.3.tar.xz.asc, pgp} +@url{gogost-4.2.3.tar.xz.sig, ssh} @item @ref{Release 4.2.2, 4.2.2} @tab 2020-01-07 @tab 58 KiB @tab @url{gogost-4.2.2.tar.xz.meta4, meta4} @url{gogost-4.2.2.tar.xz, tar} -@url{gogost-4.2.2.tar.xz.asc, sig} +@url{gogost-4.2.2.tar.xz.asc, pgp} +@url{gogost-4.2.2.tar.xz.sig, ssh} @item @ref{Release 4.2.1, 4.2.1} @tab 2019-12-18 @tab 57 KiB @tab @url{gogost-4.2.1.tar.xz.meta4, meta4} @url{gogost-4.2.1.tar.xz, tar} -@url{gogost-4.2.1.tar.xz.asc, sig} +@url{gogost-4.2.1.tar.xz.asc, pgp} +@url{gogost-4.2.1.tar.xz.sig, ssh} @item @ref{Release 4.2.0, 4.2.0} @tab 2019-10-18 @tab 57 KiB @tab @url{gogost-4.2.0.tar.xz.meta4, meta4} @url{gogost-4.2.0.tar.xz, tar} -@url{gogost-4.2.0.tar.xz.asc, sig} +@url{gogost-4.2.0.tar.xz.asc, pgp} +@url{gogost-4.2.0.tar.xz.sig, ssh} @item @ref{Release 4.1.0, 4.1.0} @tab 2019-10-03 @tab 55 KiB @tab @url{gogost-4.1.0.tar.xz.meta4, meta4} @url{gogost-4.1.0.tar.xz, tar} -@url{gogost-4.1.0.tar.xz.asc, sig} +@url{gogost-4.1.0.tar.xz.asc, pgp} +@url{gogost-4.1.0.tar.xz.sig, ssh} @item @ref{Release 4.0, 4.0} @tab 2019-08-12 @tab 56 KiB @tab @url{gogost-4.0.tar.xz.meta4, meta4} @url{gogost-4.0.tar.xz, tar} -@url{gogost-4.0.tar.xz.asc, sig} +@url{gogost-4.0.tar.xz.asc, pgp} +@url{gogost-4.0.tar.xz.sig, ssh} @item @ref{Release 3.0, 3.0} @tab 2019-07-19 @tab 47 KiB @tab @url{gogost-3.0.tar.xz.meta4, meta4} @url{gogost-3.0.tar.xz, tar} -@url{gogost-3.0.tar.xz.asc, sig} +@url{gogost-3.0.tar.xz.asc, pgp} +@url{gogost-3.0.tar.xz.sig, ssh} @item @ref{Release 2.0, 2.0} @tab 2016-11-26 @tab 39 KiB @tab @url{gogost-2.0.tar.xz.meta4, meta4} @url{gogost-2.0.tar.xz, tar} -@url{gogost-2.0.tar.xz.asc, sig} +@url{gogost-2.0.tar.xz.asc, pgp} +@url{gogost-2.0.tar.xz.sig, ssh} @item 1.2 @tab 2016-11-13 @tab 34 KiB @tab @url{gogost-1.2.tar.xz.meta4, meta4} @url{gogost-1.2.tar.xz, tar} -@url{gogost-1.2.tar.xz.asc, sig} +@url{gogost-1.2.tar.xz.asc, pgp} +@url{gogost-1.2.tar.xz.sig, ssh} @item @ref{Release 1.1, 1.1} @tab 2016-10-04 @tab 33 KiB @tab @url{gogost-1.1.tar.xz.meta4, meta4} @url{gogost-1.1.tar.xz, tar} -@url{gogost-1.1.tar.xz.asc, sig} +@url{gogost-1.1.tar.xz.asc, pgp} +@url{gogost-1.1.tar.xz.sig, ssh} @end multitable diff --git a/install.texi b/install.texi index fec94eb..9af1f1a 100644 --- a/install.texi +++ b/install.texi @@ -6,9 +6,9 @@ website and, for example, run tests with benchmarks: @example $ [fetch|wget] http://www.gogost.cypherpunks.ru/gogost-@value{VERSION}.tar.zst -$ [fetch|wget] http://www.gogost.cypherpunks.ru/gogost-@value{VERSION}.tar.zst.asc -$ gpg --verify gogost-@value{VERSION}.tar.zst.asc gogost-@value{VERSION}.tar.zst -$ zstd --decompress --stdout gogost-@value{VERSION}.tar.zst | tar xf - +$ [fetch|wget] http://www.gogost.cypherpunks.ru/gogost-@value{VERSION}.tar.zst.@{asc,sig@} +[verify signature] +$ zstd -d gogost-@value{VERSION}.tar.zst | tar xf - $ cd gogost-@value{VERSION} $ go build -mod=vendor -o streebog256 ./cmd/streebog256 $ echo hello world | ./streebog256 @@ -44,35 +44,7 @@ $ go run main.go f72018189a5cfb803dbe1f2149cf554c40093d8e7f81c21e08ac5bcd09d9934d @end example -You @strong{have to} verify downloaded tarballs integrity and -authenticity to be sure that you retrieved trusted and untampered -software. @url{https://www.gnupg.org/, GNU Privacy Guard} is used -for that purpose. - -For the very first time it is necessary to get signing public key and -import it. It is provided below, but you should check alternative -resources. - -@verbatim -pub rsa2048/0x82343436696FC85A 2016-09-13 [SC] - CEBD 1282 2C46 9C02 A81A 0467 8234 3436 696F C85A -uid GoGOST releases -@end verbatim - -@itemize - -@item @url{http://lists.cypherpunks.ru/gost.html, gost} maillist - -@item -@example -$ gpg --auto-key-locate dane --locate-keys gogost at cypherpunks dot ru -$ gpg --auto-key-locate wkd --locate-keys gogost at cypherpunks dot ru -@end example - -@item -@verbatiminclude PUBKEY.asc - -@end itemize +@include integrity.texi GoGOST is also @command{go get}-able. For example to install @command{streebog256} utility: @@ -95,7 +67,7 @@ their usage by setting @env{$GOPRIVATE=go.cypherpunks.ru}. @example $ [fetch|wget] http://www.ca.cypherpunks.ru/cert.pem -$ [fetch|wget] http://www.ca.cypherpunks.ru/cert.pem.asc +$ [fetch|wget] http://www.ca.cypherpunks.ru/cert.pem.@{asc,sig,minisig@} $ gpg --auto-key-locate dane --locate-keys stargrave at stargrave dot org $ gpg --auto-key-locate wkd --locate-keys stargrave at gnupg dot net $ gpg --verify cert.pem.asc diff --git a/integrity.texi b/integrity.texi new file mode 100644 index 0000000..7e283ea --- /dev/null +++ b/integrity.texi @@ -0,0 +1,34 @@ +You @strong{have to} verify downloaded tarballs authenticity to be sure +that you retrieved trusted and untampered software. There are two options: + +@table @asis + +@item @url{https://www.openpgp.org/, OpenPGP} @file{.asc} signature + Use @url{https://www.gnupg.org/, GNU Privacy Guard} free software + implementation. + For the very first time it is necessary to get signing public key and + import it. It is provided @url{PUBKEY-PGP.asc, here}, but you should + check alternate resources. + +@verbatim +pub rsa2048/0x82343436696FC85A 2016-09-13 + CEBD 1282 2C46 9C02 A81A 0467 8234 3436 696F C85A +uid GoGOST releases +@end verbatim + +@example +$ gpg --auto-key-locate dane --locate-keys gogost at cypherpunks dot ru +$ gpg --auto-key-locate wkd --locate-keys gogost at cypherpunks dot ru +@end example + +@item @url{https://www.openssh.com/, OpenSSH} @file{.sig} signature + @url{PUBKEY-SSH.pub, Public key} and its OpenPGP + @url{PUBKEY-SSH.pub.asc, signature} made with the key above. + Its fingerprint: @code{SHA256:u8X9rPDOhxpyzGs/IugbxXbDeOu/0AttKY+LGAvHBH0}. + +@example +$ ssh-keygen -Y verify -f PUBKEY-SSH.pub -I gogost@@cypherpunks.ru -n file \ + -s gogost-@value{VERSION}.tar.zst.sig < gogost-@value{VERSION}.tar.zst +@end example + +@end table diff --git a/makedist b/makedist index 5963aeb..48bb6e8 100755 --- a/makedist +++ b/makedist @@ -6,7 +6,6 @@ tmp=$(mktemp -d) release=$1 [ -n "$release" ] -[ -x streebog256 ] || go build -o streebog256 ./cmd/streebog256 git clone . $tmp/gogost-$release cd $tmp/gogost-$release git checkout v$release @@ -66,8 +65,10 @@ cd .. tar cvf gogost-"$release".tar --uid=0 --gid=0 --numeric-owner gogost-"$release" zstd -19 -v gogost-"$release".tar tarball=gogost-"$release".tar.zst +ssh-keygen -Y sign -f ~/.ssh/sign/gogost@cypherpunks.ru -n file $tarball gpg --armor --detach-sign --sign --local-user 82343436696FC85A $tarball -meta4-create -fn "$tarball" -mtime "$tarball" -sig "$tarball".asc \ +meta4-create -fn "$tarball" -mtime "$tarball" \ + -sig-pgp "$tarball".asc -sig-ssh "$tarball".sig \ http://www.gogost.cypherpunks.ru/"$tarball" \ http://y.www.gogost.cypherpunks.ru/"$tarball" < "$tarball" > "$tarball".meta4 @@ -79,7 +80,8 @@ An entry for documentation: @item @ref{Release $release, $release} @tab $release_date @tab $size KiB @tab @url{$tarball.meta4, meta4} @url{$tarball, tar} -@url{$tarball.asc, sig} +@url{$tarball.asc, pgp} +@url{$tarball.sig, ssh} EOF cat < +OpenPGP key: CEBD 1282 2C46 9C02 A81A 0467 8234 3436 696F C85A + GoGOST releases +OpenSSH key: SHA256:u8X9rPDOhxpyzGs/IugbxXbDeOu/0AttKY+LGAvHBH0 Please send questions regarding the use of GoGOST, bug reports and patches to mailing list: http://lists.cypherpunks.ru/gost.html @@ -134,13 +137,14 @@ GoGOST это свободное программное обеспечение http://www.gogost.cypherpunks.ru/gogost-${release}.tar.zst ($size KiB) http://www.gogost.cypherpunks.ru/gogost-${release}.tar.zst.asc -GPG ключ: CEBD 1282 2C46 9C02 A81A 0467 8234 3436 696F C85A - GoGOST releases +OpenPGP ключ: CEBD 1282 2C46 9C02 A81A 0467 8234 3436 696F C85A + GoGOST releases +OpenSSH ключ: SHA256:u8X9rPDOhxpyzGs/IugbxXbDeOu/0AttKY+LGAvHBH0 Пожалуйста, все вопросы касающиеся использования GoGOST, отчёты об ошибках и патчи отправляйте в gost почтовую рассылку: http://lists.cypherpunks.ru/gost.html EOF -mv $tmp/$tarball $tmp/"$tarball".asc $tmp/"$tarball".meta4 $cur/gogost.html/ +mv $tmp/$tarball $tmp/"$tarball".asc $tmp/"$tarball".sig $tmp/"$tarball".meta4 $cur/gogost.html/ rm -fr $tmp diff --git a/www.do b/www.do index 30aa833..5dc4ceb 100644 --- a/www.do +++ b/www.do @@ -11,6 +11,7 @@ ${MAKEINFO:-makeinfo} --html \ --set-customization-variable DATE_IN_HEADER=1 \ --set-customization-variable ASCII_PUNCTUATION=1 \ --output $html www.texi +cp PUBKEY-* $html/ ( cd $html export ATOM_ID="34c4c603-9fa7-4441-a089-881d216d8638"