SSH commit signing will be used going forward
This commit is contained in:
Daniel Micay
parent
1ff2719b37
commit
6280211cc5
@ -298,6 +298,10 @@ http {
|
||||
try_files $uri.html =404;
|
||||
}
|
||||
|
||||
location = /allowed_signers {}
|
||||
location = /allowed_signers.sig {}
|
||||
location = /allowed_signers.asc {}
|
||||
|
||||
location = /favicon.ico {
|
||||
if ($http_accept ~ "image/svg\+xml") {
|
||||
rewrite ^ /favicon.svg last;
|
||||
|
||||
1
static/allowed_signers
Normal file
1
static/allowed_signers
Normal file
@ -0,0 +1 @@
|
||||
daniel.micay@grapheneos.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUg/m5CoP83b0rfSCzYSVA4cw4ir49io5GPoxbgxdJE
|
||||
16
static/allowed_signers.asc
Normal file
16
static/allowed_signers.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCAAdFiEEZe7+AiEI4rcIy/z3+ecS5Zr18ioFAmO2c1QACgkQ+ecS5Zr1
|
||||
8iodbQ/9GdR5FVChX8KFWJ95sX/PeAHXkR8yCaYN5c/LwDxfZ1Hz3ZGdrIHOVscV
|
||||
+NohU6ziUNK4Jkqbk//LhSGeQSqdgB8g1eQW+DkrBNEn9aGFUACSGVeS/PNDIfrz
|
||||
+iMLRdTgpY/PM4Ln2u+lTYXOFwqalPtf+bBh+hxiLnm0Kilqgb8oBp5kJzeaobVM
|
||||
N1rS3Vj6YPrS5ywlYNI/bjY8jzPihCcRXSKz++o1WOW2i2l3EyG23z9RMIPDrfWj
|
||||
yw9rty/5YEAwX9/Hdx3x/WpzbinNRvYNYZwG8t6o+dQdZYvlAozPDVPz+8GsGZ5y
|
||||
yBkDAzmmVCedBHy29K++NjgrFetkI+kUaOUuJ/u+5O3DV6WFQa0OMKCLehxCeE5v
|
||||
bEhc83hnTuuoD5cnOWwaPgpA5g+tNCyjWl+0ySTW9zucEORIkNrfrilv6rKK0dtq
|
||||
0y1mId6/n7Zgc2KXpGhFghsaP+Bg9ILo7STk/zlAlD5Gh9Vwniw7T9LApPQAEjpD
|
||||
a2TLjeotP0+WQT0hckB9rGTMZGLNCUh5ct2NVqNOgdsoUAOwmC/FivaeKvSTj8GD
|
||||
0zcLwv3M6qRZJyKCQGBKb1nq11JpzpkJ41qMIRAOu1dO1vmcaApe7O59Y6LxseY7
|
||||
lLfotHx4bKCzosVBJyyXbsGZkdnbnIHI4SQLXGlnPtWE82qYkVc=
|
||||
=ybyF
|
||||
-----END PGP SIGNATURE-----
|
||||
2
static/allowed_signers.sig
Normal file
2
static/allowed_signers.sig
Normal file
@ -0,0 +1,2 @@
|
||||
untrusted comment: verify with factory.pub
|
||||
RWQZW9NItOuQYA+Rim+poiDbYOb1fwiBP5iNXqWc62wc1d/blJH3GwosSRLN77WE51WT0GhHOru1gRwcgf4AWVzWnn20I28X5QY=
|
||||
@ -351,10 +351,18 @@ repo sync -j16</pre>
|
||||
cd grapheneos-<var>TAG_NAME</var>
|
||||
repo init -u https://github.com/GrapheneOS/platform_manifest.git -b refs/tags/<var>TAG_NAME</var></pre>
|
||||
|
||||
<p>Obtain GPG public key for verifying tags before 2023-01-05:</p>
|
||||
|
||||
<pre>gpg --recv-keys 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A</pre>
|
||||
|
||||
<p>Obtain SSH public key for verifying tags after 2023-01-05:</p>
|
||||
|
||||
<pre>curl https://grapheneos.org/allowed_signers > ~/.ssh/grapheneos_allowed_signers</pre>
|
||||
|
||||
<p>Verify the manifest:</p>
|
||||
|
||||
<pre>gpg --recv-keys 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A
|
||||
cd .repo/manifests
|
||||
<pre>cd .repo/manifests
|
||||
git config gpg.ssh.allowedSignersFile ~/.ssh/grapheneos_allowed_signers
|
||||
git verify-tag $(git describe)
|
||||
cd ../..</pre>
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user