OpenSSH signature support

diff --git a/PUBKEY.asc b/PUBKEY-PGP.asc
similarity index 100%
rename from PUBKEY.asc
rename to PUBKEY-PGP.asc

diff --git a/PUBKEY-SSH.pub b/PUBKEY-SSH.pub
new file mode 100644 (file)
index 0000000..ac591d2
--- /dev/null
+++ b/PUBKEY-SSH.pub
@@ -0,0 +1 @@
+pygost@cypherpunks.ru ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM7eh6HlPQVqV44/sBNMFZ6esa0KtGb3nl26Sj5NHbr

diff --git a/PUBKEY-SSH.pub.asc b/PUBKEY-SSH.pub.asc
new file mode 100644 (file)
index 0000000..2edc976
--- /dev/null
+++ b/PUBKEY-SSH.pub.asc
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQFKBAABCgA0FiEE9Vp2GToMMjqgMQ5r5v0Sac0MAJ4FAmTSi1YWHHB5Z29zdEBj
+eXBoZXJwdW5rcy5ydQAKCRDm/RJpzQwAnraQB/4yAefGw6YiQsqZKdGgXv+e8Wpo
+ntX7aCsK1Y9ZdZK5uszUinU7NIrmcV3mYIK3PyZbbgavzdKD2YVxFFY3vY4YJLU6
+dfVMqhe4tOcmgdeYGe30KcTJLvy65jwUFGWEvVoIbCw2wQXs4wdfk9FiAzurrVcN
+/6EnWln3cdPySCKV8M9w8LU5ePe9v2s9nzMEXAvem42YS/+W1ynY5qsThJPEu0/1
+p2G/5fxJVta+FJMXM/T8gLkr2ZqatovMMk3FXlPnbjKPOiAZU5J6PsH01tOje5Y1
+dnTEeNVY5zOzD4ojBjb/B5OASFIc0+KzIWjRSsNQFYsagcm9zdLEqaQiAK+/
+=Ae25
+-----END PGP SIGNATURE-----

diff --git a/download.texi b/download.texi
index 6546a9ea10b3643c3d5522d4eb69ecb16e15039f..2b4acaf72cd3b3f103a5bd5a4f812499d956f751 100644 (file)
--- a/download.texi
+++ b/download.texi
@@ -1,125 +1,149 @@
-@multitable {XXXXX} {XXXX-XX-XX} {XXXX KiB} {meta4 tar sig}
+@multitable {XXXXX} {XXXX-XX-XX} {XXXX KiB} {meta4 tar pgp ssh}
 @headitem Version @tab Date @tab Size @tab Tarball
 
 @item @ref{Release 5.12, 5.12} @tab 2023-04-12 @tab 91 KiB @tab
 @url{pygost-5.12.tar.zst.meta4, meta4}
 @url{pygost-5.12.tar.zst, tar}
-@url{pygost-5.12.tar.zst.asc, sig}
+@url{pygost-5.12.tar.zst.asc, pgp}
+@url{pygost-5.12.tar.zst.sig, ssh}
 
 @item @ref{Release 5.11, 5.11} @tab 2022-03-23 @tab 91 KiB @tab
 @url{pygost-5.11.tar.zst.meta4, meta4}
 @url{pygost-5.11.tar.zst, tar}
-@url{pygost-5.11.tar.zst.asc, sig}
+@url{pygost-5.11.tar.zst.asc, pgp}
+@url{pygost-5.11.tar.zst.sig, ssh}
 
 @item @ref{Release 5.10, 5.10} @tab 2022-02-04 @tab 91 KiB @tab
 @url{pygost-5.10.tar.zst.meta4, meta4}
 @url{pygost-5.10.tar.zst, tar}
-@url{pygost-5.10.tar.zst.asc, sig}
+@url{pygost-5.10.tar.zst.asc, pgp}
+@url{pygost-5.10.tar.zst.sig, ssh}
 
 @item @ref{Release 5.9, 5.9} @tab 2022-02-02 @tab 91 KiB @tab
 @url{pygost-5.9.tar.zst.meta4, meta4}
 @url{pygost-5.9.tar.zst, tar}
-@url{pygost-5.9.tar.zst.asc, sig}
+@url{pygost-5.9.tar.zst.asc, pgp}
+@url{pygost-5.9.tar.zst.sig, ssh}
 
 @item @ref{Release 5.8, 5.8} @tab 2021-12-06 @tab 91 KiB @tab
 @url{pygost-5.8.tar.zst.meta4, meta4}
 @url{pygost-5.8.tar.zst, tar}
-@url{pygost-5.8.tar.zst.asc, sig}
+@url{pygost-5.8.tar.zst.asc, pgp}
+@url{pygost-5.8.tar.zst.sig, ssh}
 
 @item @ref{Release 5.7, 5.7} @tab 2021-11-26 @tab 91 KiB @tab
 @url{pygost-5.7.tar.zst.meta4, meta4}
 @url{pygost-5.7.tar.zst, tar}
-@url{pygost-5.7.tar.zst.asc, sig}
+@url{pygost-5.7.tar.zst.asc, pgp}
+@url{pygost-5.7.tar.zst.sig, ssh}
 
 @item @ref{Release 5.6, 5.6} @tab 2021-04-22 @tab 86 KiB @tab
 @url{pygost-5.6.tar.xz.meta4, meta4}
 @url{pygost-5.6.tar.xz, tar}
-@url{pygost-5.6.tar.xz.asc, sig}
+@url{pygost-5.6.tar.xz.asc, pgp}
+@url{pygost-5.6.tar.xz.sig, ssh}
 
 @item @ref{Release 5.5, 5.5} @tab 2021-04-22 @tab 86 KiB @tab
 @url{pygost-5.5.tar.xz.meta4, meta4}
 @url{pygost-5.5.tar.xz, tar}
-@url{pygost-5.5.tar.xz.asc, sig}
+@url{pygost-5.5.tar.xz.asc, pgp}
+@url{pygost-5.5.tar.xz.sig, ssh}
 
 @item @ref{Release 5.4, 5.4} @tab 2021-01-26 @tab 80 KiB @tab
 @url{pygost-5.4.tar.xz.meta4, meta4}
 @url{pygost-5.4.tar.xz, tar}
-@url{pygost-5.4.tar.xz.asc, sig}
+@url{pygost-5.4.tar.xz.asc, pgp}
+@url{pygost-5.4.tar.xz.sig, ssh}
 
 @item @ref{Release 5.3, 5.3} @tab 2021-01-22 @tab 79 KiB @tab
 @url{pygost-5.3.tar.xz.meta4, meta4}
 @url{pygost-5.3.tar.xz, tar}
-@url{pygost-5.3.tar.xz.asc, sig}
+@url{pygost-5.3.tar.xz.asc, pgp}
+@url{pygost-5.3.tar.xz.sig, ssh}
 
 @item @ref{Release 5.2, 5.2} @tab 2020-10-19 @tab 78 KiB @tab
 @url{pygost-5.2.tar.xz.meta4, meta4}
 @url{pygost-5.2.tar.xz, tar}
-@url{pygost-5.2.tar.xz.asc, sig}
+@url{pygost-5.2.tar.xz.asc, pgp}
+@url{pygost-5.2.tar.xz.sig, ssh}
 
 @item @ref{Release 5.1, 5.1} @tab 2020-09-24 @tab 79 KiB @tab
 @url{pygost-5.1.tar.xz.meta4, meta4}
 @url{pygost-5.1.tar.xz, tar}
-@url{pygost-5.1.tar.xz.asc, sig}
+@url{pygost-5.1.tar.xz.asc, pgp}
+@url{pygost-5.1.tar.xz.sig, ssh}
 
 @item @ref{Release 5.0, 5.0} @tab 2020-09-04 @tab 78 KiB @tab
 @url{pygost-5.0.tar.xz.meta4, meta4}
 @url{pygost-5.0.tar.xz, tar}
-@url{pygost-5.0.tar.xz.asc, sig}
+@url{pygost-5.0.tar.xz.asc, pgp}
+@url{pygost-5.0.tar.xz.sig, ssh}
 
 @item @ref{Release 4.9, 4.9} @tab 2020-07-30 @tab 78 KiB @tab
 @url{pygost-4.9.tar.xz.meta4, meta4}
 @url{pygost-4.9.tar.xz, tar}
-@url{pygost-4.9.tar.xz.asc, sig}
+@url{pygost-4.9.tar.xz.asc, pgp}
+@url{pygost-4.9.tar.xz.sig, ssh}
 
 @item @ref{Release 4.8, 4.8} @tab 2020-07-24 @tab 69 KiB @tab
 @url{pygost-4.8.tar.xz.meta4, meta4}
 @url{pygost-4.8.tar.xz, tar}
-@url{pygost-4.8.tar.xz.asc, sig}
+@url{pygost-4.8.tar.xz.asc, pgp}
+@url{pygost-4.8.tar.xz.sig, ssh}
 
 @item @ref{Release 4.7, 4.7} @tab 2020-07-23 @tab 67 KiB @tab
 @url{pygost-4.7.tar.xz.meta4, meta4}
 @url{pygost-4.7.tar.xz, tar}
-@url{pygost-4.7.tar.xz.asc, sig}
+@url{pygost-4.7.tar.xz.asc, pgp}
+@url{pygost-4.7.tar.xz.sig, ssh}
 
 @item @ref{Release 4.6, 4.6} @tab 2020-07-07 @tab 67 KiB @tab
 @url{pygost-4.6.tar.xz.meta4, meta4}
 @url{pygost-4.6.tar.xz, tar}
-@url{pygost-4.6.tar.xz.asc, sig}
+@url{pygost-4.6.tar.xz.asc, pgp}
+@url{pygost-4.6.tar.xz.sig, ssh}
 
 @item @ref{Release 4.5, 4.5} @tab 2020-05-14 @tab 67 KiB @tab
 @url{pygost-4.5.tar.xz.meta4, meta4}
 @url{pygost-4.5.tar.xz, tar}
-@url{pygost-4.5.tar.xz.asc, sig}
+@url{pygost-4.5.tar.xz.asc, pgp}
+@url{pygost-4.5.tar.xz.sig, ssh}
 
 @item @ref{Release 4.4, 4.4} @tab 2020-02-04 @tab 67 KiB @tab
 @url{pygost-4.4.tar.xz.meta4, meta4}
 @url{pygost-4.4.tar.xz, tar}
-@url{pygost-4.4.tar.xz.asc, sig}
+@url{pygost-4.4.tar.xz.asc, pgp}
+@url{pygost-4.4.tar.xz.sig, ssh}
 
 @item @ref{Release 4.3, 4.3} @tab 2019-12-27 @tab 61 KiB @tab
 @url{pygost-4.3.tar.xz.meta4, meta4}
 @url{pygost-4.3.tar.xz, tar}
-@url{pygost-4.3.tar.xz.asc, sig}
+@url{pygost-4.3.tar.xz.asc, pgp}
+@url{pygost-4.3.tar.xz.sig, ssh}
 
 @item @ref{Release 4.2, 4.2} @tab 2019-12-27 @tab 62 KiB @tab
 @url{pygost-4.2.tar.xz.meta4, meta4}
 @url{pygost-4.2.tar.xz, tar}
-@url{pygost-4.2.tar.xz.asc, sig}
+@url{pygost-4.2.tar.xz.asc, pgp}
+@url{pygost-4.2.tar.xz.sig, ssh}
 
 @item @ref{Release 4.1, 4.1} @tab 2019-12-17 @tab 60 KiB @tab
 @url{pygost-4.1.tar.xz.meta4, meta4}
 @url{pygost-4.1.tar.xz, tar}
-@url{pygost-4.1.tar.xz.asc, sig}
+@url{pygost-4.1.tar.xz.asc, pgp}
+@url{pygost-4.1.tar.xz.sig, ssh}
 
 @item @ref{Release 4.0, 4.0} @tab 2019-07-19 @tab 61 KiB @tab
 @url{pygost-4.0.tar.xz.meta4, meta4}
 @url{pygost-4.0.tar.xz, tar}
-@url{pygost-4.0.tar.xz.asc, sig}
+@url{pygost-4.0.tar.xz.asc, pgp}
+@url{pygost-4.0.tar.xz.sig, ssh}
 
 @item @ref{Release 3.15, 3.15} @tab 2018-12-09 @tab 54 KiB @tab
 @url{pygost-3.15.tar.xz.meta4, meta4}
 @url{pygost-3.15.tar.xz, tar}
-@url{pygost-3.15.tar.xz.asc, sig}
+@url{pygost-3.15.tar.xz.asc, pgp}
+@url{pygost-3.15.tar.xz.sig, ssh}
 
 @item @ref{Release 3.14, 3.14} @tab 2018-12-03 @tab 49 KiB @tab
 
@@ -146,36 +170,43 @@
 @item @ref{Release 3.3, 3.3} @tab 2017-06-11 @tab 41 KiB @tab
 @url{pygost-3.3.tar.xz.meta4, meta4}
 @url{pygost-3.3.tar.xz, tar}
-@url{pygost-3.3.tar.xz.asc, sig}
+@url{pygost-3.3.tar.xz.asc, pgp}
+@url{pygost-3.3.tar.xz.sig, ssh}
 
 @item @ref{Release 3.2, 3.2} @tab 2017-06-04 @tab 41 KiB @tab
 @url{pygost-3.2.tar.xz.meta4, meta4}
 @url{pygost-3.2.tar.xz, tar}
-@url{pygost-3.2.tar.xz.asc, sig}
+@url{pygost-3.2.tar.xz.asc, pgp}
+@url{pygost-3.2.tar.xz.sig, ssh}
 
 @item @ref{Release 3.1, 3.1} @tab 2016-11-28 @tab 39 KiB @tab
 @url{pygost-3.1.tar.xz.meta4, meta4}
 @url{pygost-3.1.tar.xz, tar}
-@url{pygost-3.1.tar.xz.asc, sig}
+@url{pygost-3.1.tar.xz.asc, pgp}
+@url{pygost-3.1.tar.xz.sig, ssh}
 
 @item @ref{Release 3.0, 3.0} @tab 2016-11-21 @tab 39 KiB @tab
 @url{pygost-3.0.tar.xz.meta4, meta4}
 @url{pygost-3.0.tar.xz, tar}
-@url{pygost-3.0.tar.xz.asc, sig}
+@url{pygost-3.0.tar.xz.asc, pgp}
+@url{pygost-3.0.tar.xz.sig, ssh}
 
 @item @ref{Release 2.4, 2.4} @tab 2016-10-13 @tab 37 KiB @tab
 @url{pygost-2.4.tar.xz.meta4, meta4}
 @url{pygost-2.4.tar.xz, tar}
-@url{pygost-2.4.tar.xz.asc, sig}
+@url{pygost-2.4.tar.xz.asc, pgp}
+@url{pygost-2.4.tar.xz.sig, ssh}
 
 @item @ref{Release 2.3, 2.3} @tab 2016-10-04 @tab 37 KiB @tab
 @url{pygost-2.3.tar.xz.meta4, meta4}
 @url{pygost-2.3.tar.xz, tar}
-@url{pygost-2.3.tar.xz.asc, sig}
+@url{pygost-2.3.tar.xz.asc, pgp}
+@url{pygost-2.3.tar.xz.sig, ssh}
 
 @end multitable
 
 Also there is example P2P F2F E2EE IM written on Python, that uses
 PyGOST with @url{http://www.pyderasn.cypherpunks.ru/, PyDERASN}:
 @url{gostim.txz, GOSTIM} (@url{gostim.txz.asc, sig}) (17 KiB). It is
-described on russian in @url{https://habr.com/ru/post/452200/, that article}.
+described on russian in
+@url{https://habr.com/ru/articles/452200/, that article}.

diff --git a/install.texi b/install.texi
index df6780a50a0b35e149955254cb1aa4cab62cdd6e..bc121ece9f1fde389b39bbe17923dc847d90b366 100644 (file)
--- a/install.texi
+++ b/install.texi
@@ -7,44 +7,15 @@ Preferable way is to download tarball with the signature:
 
 @example
 $ [fetch|wget] http://www.pygost.cypherpunks.ru/pygost-@value{VERSION}.tar.zst
-$ [fetch|wget] http://www.pygost.cypherpunks.ru/pygost-@value{VERSION}.tar.zst.asc
-$ gpg --verify pygost-@value{VERSION}.tar.zst.asc pygost-@value{VERSION}.tar.zst
+$ [fetch|wget] http://www.pygost.cypherpunks.ru/pygost-@value{VERSION}.tar.zst.@{asc,sig@}
+[verify signature]
 $ zstd -d < pygost-@value{VERSION}.tar.zst | tar xf -
 $ cd pygost-@value{VERSION}
 $ python setup.py install
 @end example
 
 @include download.texi
-
-You @strong{have to} verify downloaded tarballs integrity and
-authenticity to be sure that you retrieved trusted and untampered
-software. @url{https://www.gnupg.org/, GNU Privacy Guard} is used
-for that purpose.
-
-For the very first time it is necessary to get signing public key and
-import it. It is provided below, but you should check alternative
-resources.
-
-@verbatim
-pub   rsa2048/0xE6FD1269CD0C009E 2016-09-13
-      F55A 7619 3A0C 323A A031  0E6B E6FD 1269 CD0C 009E
-uid   PyGOST releases <pygost at cypherpunks dot ru>
-@end verbatim
-
-@itemize
-
-@item @url{http://lists.cypherpunks.ru/gost.html, gost} maillist
-
-@item
-@example
-$ gpg --auto-key-locate dane --locate-keys pygost at cypherpunks dot ru
-$ gpg --auto-key-locate  wkd --locate-keys pygost at cypherpunks dot ru
-@end example
-
-@item
-@verbatiminclude PUBKEY.asc
-
-@end itemize
+@include integrity.texi
 
 You can obtain development source code with
 @command{git clone git://git.cypherpunks.ru/pygost.git}.

diff --git a/integrity.texi b/integrity.texi
new file mode 100644 (file)
index 0000000..a378666
--- /dev/null
+++ b/integrity.texi
@@ -0,0 +1,34 @@
+You @strong{have to} verify downloaded tarballs authenticity to be sure
+that you retrieved trusted and untampered software. There are two options:
+
+@table @asis
+
+@item @url{https://www.openpgp.org/, OpenPGP} @file{.asc} signature
+    Use @url{https://www.gnupg.org/, GNU Privacy Guard} free software
+    implementation.
+    For the very first time it is necessary to get signing public key and
+    import it. It is provided @url{PUBKEY-PGP.asc, here}, but you should
+    check alternate resources.
+
+@verbatim
+pub   rsa2048/0xE6FD1269CD0C009E 2016-09-13
+      F55A 7619 3A0C 323A A031  0E6B E6FD 1269 CD0C 009E
+uid   PyGOST releases <pygost at cypherpunks dot ru>
+@end verbatim
+
+@example
+$ gpg --auto-key-locate dane --locate-keys pygost at cypherpunks dot ru
+$ gpg --auto-key-locate  wkd --locate-keys pygost at cypherpunks dot ru
+@end example
+
+@item @url{https://www.openssh.com/, OpenSSH} @file{.sig} signature
+    @url{PUBKEY-SSH.pub, Public key} and its OpenPGP
+    @url{PUBKEY-SSH.pub.asc, signature} made with the key above.
+    Its fingerprint: @code{SHA256:/Z3T/T2sXaaunefAL6tz3ZykHTDYIMh5TLd9Hh9mxlU}.
+
+@example
+$ ssh-keygen -Y verify -f PUBKEY-SSH.pub -I pygost@@cypherpunks.ru -n file \
+    -s pygost-@value{VERSION}.tar.zst.sig < pygost-@value{VERSION}.tar.zst
+@end example
+
+@end table

diff --git a/makedist b/makedist
index 698c101e0d77f9e3c1c85f3f6e69765207d365df..0a37894bdef9c98151c9e2884c7ec759bcf0e313 100755 (executable)
--- a/makedist
+++ b/makedist
@@ -10,8 +10,10 @@ cd $tmp
 gunzip pygost-"$release".tar.gz
 zstd -19 -v pygost-"$release".tar
 tarball=pygost-"$release".tar.zst
+ssh-keygen -Y sign -f ~/.ssh/sign/pygost@cypherpunks.ru -n file $tarball
 gpg --armor --detach-sign --sign --local-user pygost@cypherpunks.ru "$tarball"
-meta4-create -fn "$tarball" -mtime "$tarball" -sig "$tarball".asc \
+meta4-create -fn "$tarball" -mtime "$tarball" \
+    -sig-pgp "$tarball".asc -sig-ssh "$tarball".sig \
     http://www.pygost.cypherpunks.ru/"$tarball" \
     http://y.www.pygost.cypherpunks.ru/"$tarball" < "$tarball" > "$tarball".meta4
 
@@ -23,7 +25,8 @@ An entry for documentation:
 @item @ref{Release $release, $release} @tab $release_date @tab $size KiB @tab
 @url{pygost-${release}.tar.zst.meta4, meta4}
 @url{pygost-${release}.tar.zst, tar}
-@url{pygost-${release}.tar.zst.asc, sig}
+@url{pygost-${release}.tar.zst.asc, pgp}
+@url{pygost-${release}.tar.zst.sig, ssh}
 EOF
 
 cat <<EOF
@@ -48,8 +51,9 @@ Source code and its signature for that version can be found here:
     http://www.pygost.cypherpunks.ru/pygost-${release}.tar.zst ($size KiB)
     http://www.pygost.cypherpunks.ru/pygost-${release}.tar.zst.asc
 
-GPG key: F55A 7619 3A0C 323A A031  0E6B E6FD 1269 CD0C 009E
-         PyGOST releases <pygost at cypherpunks dot ru>
+OpenPGP key: F55A 7619 3A0C 323A A031  0E6B E6FD 1269 CD0C 009E
+             PyGOST releases <pygost@cypherpunks.ru>
+OpenSSH key: SHA256:/Z3T/T2sXaaunefAL6tz3ZykHTDYIMh5TLd9Hh9mxlU
 
 Please send questions regarding the use of PyGOST, bug reports and patches
 to mailing list: http://lists.cypherpunks.ru/gost.html
@@ -78,12 +82,13 @@ PyGOST это свободное программное обеспечение 
     http://www.pygost.cypherpunks.ru/pygost-${release}.tar.zst ($size KiB)
     http://www.pygost.cypherpunks.ru/pygost-${release}.tar.zst.asc
 
-GPG ключ: F55A 7619 3A0C 323A A031  0E6B E6FD 1269 CD0C 009E
-          PyGOST releases <pygost at cypherpunks dot ru>
+OpenPGP ключ: F55A 7619 3A0C 323A A031  0E6B E6FD 1269 CD0C 009E
+              PyGOST releases <pygost@cypherpunks.ru>
+OpenSSH ключ: SHA256:/Z3T/T2sXaaunefAL6tz3ZykHTDYIMh5TLd9Hh9mxlU
 
 Пожалуйста, все вопросы касающиеся использования PyGOST, отчёты об
 ошибках и патчи отправляйте в gost почтовую рассылку:
 http://lists.cypherpunks.ru/gost.html
 EOF
 
-mv $tmp/$tarball $tmp/"$tarball".asc $tmp/"$tarball".meta4 $cur/pygost.html/
+mv $tmp/$tarball $tmp/"$tarball".asc $tmp/"$tarball".sig $tmp/"$tarball".meta4 $cur/pygost.html/

diff --git a/www.do b/www.do
index 90c52e79f223d014c3047d39fffb7db5e3e41a00..f6bbd0461c2e7500e4e655083e5c53bcc34634fc 100644 (file)
--- a/www.do
+++ b/www.do
@@ -10,6 +10,7 @@ ${MAKEINFO:-makeinfo} --html \
     --set-customization-variable DATE_IN_HEADER=1 \
     --set-customization-variable ASCII_PUNCTUATION=1 \
     --output pygost.html www.texi
+cp PUBKEY-* pygost.html/
 (
     cd pygost.html
     export ATOM_ID="98c5d1c8-b867-4eee-91b0-ef2c507e93b9"