[web] Add public key fingerprint page and generator script.

LEDE Commits lede-commits at lists.infradead.org
Tue Aug 2 06:26:14 PDT 2016


jow pushed a commit to web.git, branch master:
https://git.lede-project.org/?p=web.git;a=commitdiff;h=077891333f31e409e38ac5b51f8e687f71e15993

commit 077891333f31e409e38ac5b51f8e687f71e15993
Author: Jo-Philipp Wich <jo at mein.io>
AuthorDate: Tue Aug 2 15:25:51 2016 +0200

    Add public key fingerprint page and generator script.
    
    Signed-off-by: Jo-Philipp Wich <jo at mein.io>
---
 scripts/make-signatures.sh | 138 +++++++++++++++++++++++++++++++++++++++++++++
 signatures.txt             | 125 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 263 insertions(+)

diff --git a/scripts/make-signatures.sh b/scripts/make-signatures.sh
new file mode 100755
index 0000000..3cf202a
--- /dev/null
+++ b/scripts/make-signatures.sh
@@ -0,0 +1,138 @@
+#!/usr/bin/env bash
+
+cat <<EOT > signatures.txt
+---
+---
+LEDE Public Keys
+================
+
+== LEDE Public Keys
+
+This page lists the fingerprints of all public keys in use by the LEDE project
+and is automatically generated from the developer keys present in the
+https://git.lede-project.org/?p=keyring.git[keyring.git] repository.
+
+Refer to our link:signing.html[signing documentation page] to learn more about
+file verification and key generation.
+
+EOT
+
+mkdir -p "tmp.$$/gpg" || {
+	echo "Canot create temporary directory." >&2
+	exit 1
+}
+
+trap "rm -fr tmp.$$" INT TERM
+git clone https://git.lede-project.org/keyring.git "tmp.$$/git"
+
+
+cat <<EOT >> signatures.txt
+=== GnuPG key fingerprints
+
+GnuPG keys are mainly used to verify the integrity of firmware image downloads.
+
+Signature verification ensures that image downloads have not been tampered with
+and that the third-party download mirrors serve genuine content.
+
+EOT
+
+format_key() {
+	output=""
+
+	while read field rest; do
+		case $field in
+			uid)
+				output="User ID: $(echo "$rest" | sed -e 's/([^()]*) //; s/@/ -at- /; s/^\(.*\) </*\1* </') +\n$output"
+			;;
+			pub|sub)
+				oIFS="$IFS"; IFS=" /]"; set -- $rest; IFS="$oIFS"
+				type="$1"; keyid="$2"; created="$3"; expires="$5"
+
+				case $field in
+					pub) output="${output}Public Key: " ;;
+					sub) output="${output}Signing Subkey: " ;;
+				esac
+
+				output="${output}*0x$keyid* ("
+
+				case $type in
+					*[rR]) output="${output}${type%[rR]} Bit RSA" ;;
+					*[dD]) output="${output}${type%[dD]} Bit DSA" ;;
+					*[gG]) output="${output}${type%[gG]} Bit ElGamal" ;;
+				esac
+
+				output="${output}, created $created${expires:+, expires $expires}) +\n";
+			;;
+			Key)
+				fingerprint="${rest##* = }"
+				output="${output}Fingerprint: +$fingerprint+ +\n"
+			;;
+		esac
+	done
+
+	printf "$output"
+}
+
+grep -rE "^Comment: " "tmp.$$/git/gpg"/*.asc | \
+sed -e 's!^\([^:]*\):Comment: \(.*\)$!\2|\1!' | \
+sort | \
+while read line; do
+	keyfile="${line##*|}"
+	comment="${line%|*}"
+
+	keyid=$(gpg --status-fd 1 --homedir "tmp.$$/gpg" --import "$keyfile" 2>/dev/null | \
+		sed -ne 's!^.* IMPORTED \([A-F0-9]\+\) .*$!\1!p')
+
+	relfile="gpg/${keyfile##*/gpg/}"
+	modtime="$(cd "tmp.$$/git/"; git log -1 --format="%ci" -- "$relfile")"
+
+	{
+		cat <<-EOT
+			---
+
+			==== $comment
+			$(gpg --homedir "tmp.$$/gpg" --fingerprint --fingerprint "$keyid" 2>/dev/null | format_key)
+
+			[small]#https://git.lede-project.org/?p=keyring.git;a=history;f=$relfile[Last change: $modtime] | https://git.lede-project.org/?p=keyring.git;a=blob_plain;f=$relfile[Download]#
+
+		EOT
+	} >> signatures.txt
+done
+
+cat <<EOT >> signatures.txt
+=== _usign_ public keys
+
+The _usign_ EC keys are used to sign repository indexes in order to ensure that
+packages fetched and installed via _opkg_ are unmodified and genuine.
+
+Those keys are usually installed by default and bundled as
+https://git.lede-project.org/?p=source.git;a=tree;f=package/system/lede-keyring[lede-keyring]
+package.
+
+EOT
+
+grep -rE "^untrusted comment: " "tmp.$$/git/usign"/[a-f0-9]* | \
+sed -e 's!^\([^:]*\):untrusted comment: \(.*\)$!\2|\1!' | \
+sort | \
+while read line; do
+	keyfile="${line##*|}"
+	comment="${line%|*}"
+
+	relfile="usign/${keyfile##*/usign/}"
+	modtime="$(cd "tmp.$$/git/"; git log -1 --format="%ci" -- "$relfile")"
+
+	{
+		cat <<-EOT
+			---
+
+			==== $comment
+			 * Key-ID: +${keyfile##*/}+
+			 * Key-Data: +$(grep -vE "^untrusted comment: " "$keyfile")+
+
+			[small]#https://git.lede-project.org/?p=keyring.git;a=history;f=$relfile[Last change: $modtime] | https://git.lede-project.org/?p=keyring.git;a=blob_plain;f=$relfile[Download]#
+
+		EOT
+	} >> signatures.txt
+done
+
+rm -fr "tmp.$$"
diff --git a/signatures.txt b/signatures.txt
new file mode 100644
index 0000000..2f7b29b
--- /dev/null
+++ b/signatures.txt
@@ -0,0 +1,125 @@
+---
+---
+LEDE Public Keys
+================
+
+== LEDE Public Keys
+
+This page lists the fingerprints of all public keys in use by the LEDE project
+and is automatically generated from the developer keys present in the
+https://git.lede-project.org/?p=keyring.git[keyring.git] repository.
+
+Refer to our link:signing.html[signing documentation page] to learn more about
+file verification and key generation.
+
+=== GnuPG key fingerprints
+
+GnuPG keys are mainly used to verify the integrity of firmware image downloads.
+
+Signature verification ensures that image downloads have not been tampered with
+and that the third-party download mirrors serve genuine content.
+
+---
+
+==== LEDE GnuPG key for unattended build jobs
+User ID: *LEDE Build System* <lede-adm -at- lists.infradead.org> +
+Public Key: *0x626471F1* (4096 Bit RSA, created 2016-07-26) +
+Fingerprint: +54CC 7430 7A2C 6DC9 CE61  8269 CD84 BCED 6264 71F1+ +
+Signing Subkey: *0x8B699029* (4096 Bit RSA, created 2016-07-26) +
+Fingerprint: +6D92 78A3 3A9A B314 6262  DCEC F935 25A8 8B69 9029+ +
+
+[small]#https://git.lede-project.org/?p=keyring.git;a=history;f=gpg/626471F1.asc[Last change: 2016-07-26 15:54:36 +0200] | https://git.lede-project.org/?p=keyring.git;a=blob_plain;f=gpg/626471F1.asc[Download]#
+
+---
+
+==== Public key of Álvaro Fernández Rojas
+User ID: *Álvaro Fernández Rojas* <noltari -at- gmail.com> +
+Public Key: *0xAA382EC1* (4096 Bit RSA, created 2016-04-16) +
+Fingerprint: +5155 F5AE EACC 0C33 E8A3  6F2A 9E2A DB5C AA38 2EC1+ +
+Signing Subkey: *0xA7DCDFFB* (4096 Bit RSA, created 2016-04-16, expires 2018-04-16) +
+Fingerprint: +FB89 4037 B454 05CA 95EE  34DC 9712 EBC9 A7DC DFFB+ +
+
+[small]#https://git.lede-project.org/?p=keyring.git;a=history;f=gpg/A7DCDFFB.asc[Last change: 2016-04-16 11:59:03 +0200] | https://git.lede-project.org/?p=keyring.git;a=blob_plain;f=gpg/A7DCDFFB.asc[Download]#
+
+---
+
+==== Public key of John Crispin
+User ID: *John Crispin* <john -at- phrozen.org> +
+Public Key: *0x34E5BBCC* (4096 Bit RSA, created 2016-04-14) +
+Fingerprint: +B4DE 4970 B205 473D 26CD  818F 9E8F 1F29 34E5 BBCC+ +
+Signing Subkey: *0x49785F4F* (4096 Bit RSA, created 2016-04-14, expires 2018-04-14) +
+Fingerprint: +AA98 B891 5121 33A3 CD28  BB4A 3D8B E4EB 4978 5F4F+ +
+
+[small]#https://git.lede-project.org/?p=keyring.git;a=history;f=gpg/34E5BBCC.asc[Last change: 2016-04-14 14:40:54 +0200] | https://git.lede-project.org/?p=keyring.git;a=blob_plain;f=gpg/34E5BBCC.asc[Download]#
+
+---
+
+==== Public key of Jo-Philipp Wich
+User ID: *Jo-Philipp Wich* <jo -at- mein.io> +
+Public Key: *0x612A0E98* (4096 Bit RSA, created 2016-04-05) +
+Fingerprint: +69B2 6A27 62D0 65E6 6F59  6755 C76F DE50 612A 0E98+ +
+Signing Subkey: *0x1584F206* (4096 Bit RSA, created 2016-04-05, expires 2018-04-05) +
+Fingerprint: +A8B2 D538 69A3 E72D 1392  3D8F 2D87 FF6E 1584 F206+ +
+
+[small]#https://git.lede-project.org/?p=keyring.git;a=history;f=gpg/612A0E98.asc[Last change: 2016-04-05 19:03:17 +0200] | https://git.lede-project.org/?p=keyring.git;a=blob_plain;f=gpg/612A0E98.asc[Download]#
+
+---
+
+==== Public LEDE key of Ted Hess
+User ID: *Ted Hess* <thess -at- kitschensync.net> +
+Public Key: *0x12D89000* (4096 Bit RSA, created 2016-04-26) +
+Fingerprint: +C2C9 C93B F477 5C11 D4F6  617C 9C46 FAFC 12D8 9000+ +
+Signing Subkey: *0x8A1617C4* (4096 Bit RSA, created 2016-04-26, expires 2018-04-26) +
+Fingerprint: +021D 623A 818E E4D3 D1AC  6041 3146 4E53 8A16 17C4+ +
+
+[small]#https://git.lede-project.org/?p=keyring.git;a=history;f=gpg/12D89000.asc[Last change: 2016-04-26 14:18:19 -0400] | https://git.lede-project.org/?p=keyring.git;a=blob_plain;f=gpg/12D89000.asc[Download]#
+
+=== _usign_ public keys
+
+The _usign_ EC keys are used to sign repository indexes in order to ensure that
+packages fetched and installed via _opkg_ are unmodified and genuine.
+
+Those keys are usually installed by default and bundled as
+https://git.lede-project.org/?p=source.git;a=tree;f=package/system/lede-keyring[lede-keyring]
+package.
+
+---
+
+==== LEDE usign key for unattended build jobs
+ * Key-ID: +b5043e70f9a75cde+
+ * Key-Data: +RWS1BD5w+adc3j2Hqg9+b66CvLR7NlHbsj7wjNVj0XGt/othDgIAOJS++
+
+[small]#https://git.lede-project.org/?p=keyring.git;a=history;f=usign/b5043e70f9a75cde[Last change: 2016-04-30 18:58:47 +0200] | https://git.lede-project.org/?p=keyring.git;a=blob_plain;f=usign/b5043e70f9a75cde[Download]#
+
+---
+
+==== LEDE usign key of Álvaro Fernández Rojas
+ * Key-ID: +9ef4694208102c43+
+ * Key-Data: +RWSe9GlCCBAsQwI5+wztnWKHfBlvPFP2G00FvZyx+Wfv9AwSViUwo/s2+
+
+[small]#https://git.lede-project.org/?p=keyring.git;a=history;f=usign/9ef4694208102c43[Last change: 2016-04-16 11:58:31 +0200] | https://git.lede-project.org/?p=keyring.git;a=blob_plain;f=usign/9ef4694208102c43[Download]#
+
+---
+
+==== LEDE usign key of John Crispin
+ * Key-ID: +dd6de0d06bbd3d85+
+ * Key-Data: +RWTdbeDQa709heyMmwDZjWmlhcTCUv/q+3TBYDPdJAGRuys6xcxE09fp+
+
+[small]#https://git.lede-project.org/?p=keyring.git;a=history;f=usign/dd6de0d06bbd3d85[Last change: 2016-04-14 14:44:03 +0200] | https://git.lede-project.org/?p=keyring.git;a=blob_plain;f=usign/dd6de0d06bbd3d85[Download]#
+
+---
+
+==== LEDE usign key of Jo-Philipp Wich
+ * Key-ID: +72a57f2191b211e0+
+ * Key-Data: +RWRypX8hkbIR4FLhtx5pjXcAIsI1iPUIcI5bMG8jZoiCkrwTstECBPqL+
+
+[small]#https://git.lede-project.org/?p=keyring.git;a=history;f=usign/72a57f2191b211e0[Last change: 2016-04-05 19:18:02 +0200] | https://git.lede-project.org/?p=keyring.git;a=blob_plain;f=usign/72a57f2191b211e0[Download]#
+
+---
+
+==== LEDE usign key of Ted Hess
+ * Key-ID: +dace9d4df16896bf+
+ * Key-Data: +RWTazp1N8WiWvy7rYxstJqaMzGiS4XfW1oyYrk2vwJMRBeBF+8xEA+EZ+
+
+[small]#https://git.lede-project.org/?p=keyring.git;a=history;f=usign/dace9d4df16896bf[Last change: 2016-04-26 14:22:18 -0400] | https://git.lede-project.org/?p=keyring.git;a=blob_plain;f=usign/dace9d4df16896bf[Download]#
+



More information about the lede-commits mailing list