security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

move to OpenSSH signing for factory images

Browse Source
This commit is contained in:
Daniel Micay 2024-02-14 06:42:12 -05:00
parent d7db6a7ece
commit 4f3bee20cd
5 changed files with 50 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
static/build.html
View File

@ -261,8 +261,11 @@
<li>32-bit gcc runtime library</li> <li>32-bit gcc runtime library</li>
</ul> </ul>
<p>The <code>signify</code> tool (with the proper naming) is also required for signing <p>Additional dependencies for signing factory images releases:</p>
factory images zips.</p>
<ul>
<li>ssh-keygen (OpenSSH)</li>
</ul>
</section> </section>
<section id="downloading-source-code"> <section id="downloading-source-code">
@ -537,14 +540,10 @@ cd ../..</pre>
<p>Generate a signify key for signing factory images:</p> <p>Generate a signify key for signing factory images:</p>
<pre>signify -G -n -p keys/raven/factory.pub -s keys/raven/factory.sec</pre> <pre>ssh-keygen -t ed25519 -f keys/raven/id_ed25519</pre>
<p>Remove the <code>-n</code> switch to set a passphrase. The <code>signify</code> <p>The passphrase for the SSH key should also match the other keys, although we
tool doesn't provide a way to change the passphrase without generating a new key, so don't currently handle it automatically in the encrypt/decrypt scripts.</p>
this is currently handled separately from encrypting the other keys and there will be
a separate prompt for the passphrase. In the future, expect this to be handled by the
same scripts along with the expectation of it using the same passphrase as the other
keys.</p>
<section id="encrypting-keys"> <section id="encrypting-keys">
<h4><a href="#encrypting-keys">Encrypting keys</a></h4> <h4><a href="#encrypting-keys">Encrypting keys</a></h4>

2
static/faq.html
View File

@ -1740,7 +1740,7 @@
<p>The command-line approach offers a way to install GrapheneOS without trusting <p>The command-line approach offers a way to install GrapheneOS without trusting
our server infrastructure. This requires being on an OS with proper fastboot and our server infrastructure. This requires being on an OS with proper fastboot and
signify packages along with understanding the process enough to avoid blindly OpenSSH packages along with understanding the process enough to avoid blindly
trusting the instructions from our site. For most users, the web-based trusting the instructions from our site. For most users, the web-based
installation approach is no less secure and avoids needing any software beyond a installation approach is no less secure and avoids needing any software beyond a
browser with WebUSB support.</p> browser with WebUSB support.</p>

72
static/install/cli.html
View File

@ -74,7 +74,7 @@
<li><a href="#booting-into-the-bootloader-interface">Booting into the bootloader interface</a></li> <li><a href="#booting-into-the-bootloader-interface">Booting into the bootloader interface</a></li>
<li><a href="#connecting-device">Connecting the device</a></li> <li><a href="#connecting-device">Connecting the device</a></li>
<li><a href="#unlocking-the-bootloader">Unlocking the bootloader</a></li> <li><a href="#unlocking-the-bootloader">Unlocking the bootloader</a></li>
<li><a href="#obtaining-signify">Obtaining signify</a></li> <li><a href="#obtaining-openssh">Obtaining OpenSSH</a></li>
<li><a href="#obtaining-factory-images">Obtaining factory images</a></li> <li><a href="#obtaining-factory-images">Obtaining factory images</a></li>
<li> <li>
<a href="#flashing-factory-images">Flashing factory images</a> <a href="#flashing-factory-images">Flashing factory images</a>
@ -370,28 +370,22 @@ Installed as /home/username/platform-tools/fastboot</pre>
to confirm.</p> to confirm.</p>
</section> </section>
<section id="obtaining-signify"> <section id="obtaining-openssh">
<h2><a href="#obtaining-signify">Obtaining signify</a></h2> <h2><a href="#obtaining-openssh">Obtaining openssh</a></h2>
<p>On the supported Linux distributions, the signify tool is used to verify the <p>On the supported Linux distributions, OpenSSH is used to verify the download of
download of the OS beyond the security offered by HTTPS. You should skip this on the OS beyond the security offered by HTTPS. You should skip this on macOS and
macOS and Windows. It only makes sense to do this if you can obtain signify from Windows. It only makes sense to do this if you can obtain OpenSSH from the
the distribution package repositories. GrapheneOS releases are hosted on our distribution package repositories. GrapheneOS releases are hosted on our servers and
servers and we do not have third party mirrors.</p> we do not have third party mirrors.</p>
<p>On Arch Linux:</p> <p>On Arch Linux:</p>
<pre>sudo pacman -S signify</pre> <pre>sudo pacman -S openssh</pre>
<p>On Debian and Ubuntu:</p> <p>On Debian and Ubuntu:</p>
<pre>sudo apt install signify-openbsd <pre>sudo apt install openssh-client</pre>
alias signify=signify-openbsd</pre>
<p>On Debian-based distributions, the <code>signify</code> package and command are an
<a href="http://signify.sourceforge.net/" rel="nofollow">unmaintained mail-related
tool for generating mail signatures (not cryptographic signatures)</a>. Make sure
to install <code>signify-openbsd</code>.</p>
</section> </section>
<section id="obtaining-factory-images"> <section id="obtaining-factory-images">
@ -405,22 +399,31 @@ alias signify=signify-openbsd</pre>
using it for the rest of the installation process, so these instructions use using it for the rest of the installation process, so these instructions use
<code>curl</code>.</p> <code>curl</code>.</p>
<p>Download <a href="https://releases.grapheneos.org/factory.pub">the factory images <p>Download <a href="https://releases.grapheneos.org/allowed_signers">the factory images
public key (factory.pub)</a> in order to verify the factory images:</p> public key (allowed_signers)</a> in order to verify the factory images:</p>
<pre>curl -O https://releases.grapheneos.org/factory.pub</pre> <pre>curl -O https://releases.grapheneos.org/allowed_signers</pre>
<p>This is the content of <code>factory.pub</code>:</p> <p>This is the content of <code>allowed_signers</code>:</p>
<pre>untrusted comment: GrapheneOS factory images public key <pre>contact@grapheneos.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUg/m5CoP83b0rfSCzYSVA4cw4ir49io5GPoxbgxdJE</pre>
RWQZW9NItOuQYJ86EooQBxScfclrWiieJtAO9GpnfEjKbCO/3FriLGX3</pre>
<p>The public key has also been published via the official <p>Other locations to obtain the signing key:</p>
<a href="https://twitter.com/GrapheneOS/status/1145259815851253762">@GrapheneOS Twitter
account</a>, <ul>
<a href="https://www.reddit.com/r/GrapheneOS/comments/c7gb3f/grapheneos_factory_images_are_now_signed_with/esewpm9">the /u/GrapheneOS <li><a href="https://bsky.app/profile/grapheneos.org/post/3kleyygkptm2x">Bluesky</a></li>
Reddit account</a> and <a href="https://github.com/GrapheneOS/releases.grapheneos.org/blob/main/static/factory.pub">is available on GitHub</a>. <li><a href="https://twitter.com/GrapheneOS/status/1757758688952009209">Twitter</a></li>
When the current signing key is replaced, the new key will be signed with it.</p> <li><a href="https://github.com/GrapheneOS/releases.grapheneos.org/blob/main/static/allowed_signers">GitHub</a></li>
</ul>
<p>The current public key is signed with the previous signify key. If you already
have the previous signify public key (factory.pub) and want to verify the new key
with it:</p>
<pre>curl -O https://releases.grapheneos.org/allowed_signers.sig
signify -V -m allowed_signers -x allowed_signers.sig -p factory.pub</pre>
<p>When the current signing key is replaced, the new key will be signed with it.</p>
<p>Download the factory images for the device from <a href="/releases">the releases <p>Download the factory images for the device from <a href="/releases">the releases
page</a>. For example, to download the 2021110122 release for a device with the page</a>. For example, to download the 2021110122 release for a device with the
@ -429,14 +432,15 @@ RWQZW9NItOuQYJ86EooQBxScfclrWiieJtAO9GpnfEjKbCO/3FriLGX3</pre>
<pre>curl -O https://releases.grapheneos.org/<var>DEVICE_NAME</var>-factory-2021110122.zip <pre>curl -O https://releases.grapheneos.org/<var>DEVICE_NAME</var>-factory-2021110122.zip
curl -O https://releases.grapheneos.org/<var>DEVICE_NAME</var>-factory-2021110122.zip.sig</pre> curl -O https://releases.grapheneos.org/<var>DEVICE_NAME</var>-factory-2021110122.zip.sig</pre>
<p>Verify the factory images using the signature if you were able to obtain <p>Verify the factory images using the signature if you were able to obtain OpenSSH
<code>signify</code> from trusted package repositories (see above), otherwise from trusted package repositories (see above), otherwise continue on to the next
continue on to the next section without this:</p> section without this:</p>
<pre>signify -Cqp factory.pub -x <var>DEVICE_NAME</var>-factory-2021110122.zip.sig &amp;&amp; echo verified</pre> <pre>ssh-keygen -Y verify -f allowed_signers -I contact@grapheneos.org -n "factory images" -s <var>DEVICE_NAME</var>-factory-2021110122.zip.sig &lt; <var>DEVICE_NAME</var>-factory-2021110122.zip</pre>
<p>This will output <code>verified</code> if verification is successful. If something <p>This will producing the following output when successful:</p>
goes wrong, it will output an error message rather than <code>verified</code>.</p>
<pre>Good "factory images" signature for contact@grapheneos.org with ED25519 key SHA256:AhgHif0mei+9aNyKLfMZBh2yptHdw/aN7Tlh/j2eFwM</pre>
</section> </section>
<section id="flashing-factory-images"> <section id="flashing-factory-images">

2
static/install/index.html
View File

@ -53,7 +53,7 @@
on.</p> on.</p>
<p>The command-line approach offers a way to install GrapheneOS without trusting our <p>The command-line approach offers a way to install GrapheneOS without trusting our
server infrastructure. This requires being on an OS with proper fastboot and signify server infrastructure. This requires being on an OS with proper fastboot and OpenSSH
packages along with understanding the process enough to avoid blindly trusting the packages along with understanding the process enough to avoid blindly trusting the
instructions from our site. For most users, the web-based installation approach is no instructions from our site. For most users, the web-based installation approach is no
less secure and avoids needing any software beyond a browser with WebUSB support.</p> less secure and avoids needing any software beyond a browser with WebUSB support.</p>

2
static/js/redirect.js
View File

@ -28,6 +28,8 @@ const redirects = new Map([
["/build#enabling-updatable-apex-components", "/build#apex-components"], ["/build#enabling-updatable-apex-components", "/build#apex-components"],
["/install/cli#obtaining-signify", "/install/cli#obtaining-openssh"],
// legacy devices // legacy devices
["/releases#marlin-stable", "/faq#legacy-devices"], ["/releases#marlin-stable", "/faq#legacy-devices"],
["/releases#marlin-beta", "/faq#legacy-devices"], ["/releases#marlin-beta", "/faq#legacy-devices"],