diff --git a/nginx/nginx.conf b/nginx/nginx.conf index f991e795..84c85283 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -298,6 +298,10 @@ http { try_files $uri.html =404; } + location = /allowed_signers {} + location = /allowed_signers.sig {} + location = /allowed_signers.asc {} + location = /favicon.ico { if ($http_accept ~ "image/svg\+xml") { rewrite ^ /favicon.svg last; diff --git a/static/allowed_signers b/static/allowed_signers new file mode 100644 index 00000000..cf6fad9e --- /dev/null +++ b/static/allowed_signers @@ -0,0 +1 @@ +daniel.micay@grapheneos.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUg/m5CoP83b0rfSCzYSVA4cw4ir49io5GPoxbgxdJE diff --git a/static/allowed_signers.asc b/static/allowed_signers.asc new file mode 100644 index 00000000..3e845c58 --- /dev/null +++ b/static/allowed_signers.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEZe7+AiEI4rcIy/z3+ecS5Zr18ioFAmO2c1QACgkQ+ecS5Zr1 +8iodbQ/9GdR5FVChX8KFWJ95sX/PeAHXkR8yCaYN5c/LwDxfZ1Hz3ZGdrIHOVscV ++NohU6ziUNK4Jkqbk//LhSGeQSqdgB8g1eQW+DkrBNEn9aGFUACSGVeS/PNDIfrz ++iMLRdTgpY/PM4Ln2u+lTYXOFwqalPtf+bBh+hxiLnm0Kilqgb8oBp5kJzeaobVM +N1rS3Vj6YPrS5ywlYNI/bjY8jzPihCcRXSKz++o1WOW2i2l3EyG23z9RMIPDrfWj +yw9rty/5YEAwX9/Hdx3x/WpzbinNRvYNYZwG8t6o+dQdZYvlAozPDVPz+8GsGZ5y +yBkDAzmmVCedBHy29K++NjgrFetkI+kUaOUuJ/u+5O3DV6WFQa0OMKCLehxCeE5v +bEhc83hnTuuoD5cnOWwaPgpA5g+tNCyjWl+0ySTW9zucEORIkNrfrilv6rKK0dtq +0y1mId6/n7Zgc2KXpGhFghsaP+Bg9ILo7STk/zlAlD5Gh9Vwniw7T9LApPQAEjpD +a2TLjeotP0+WQT0hckB9rGTMZGLNCUh5ct2NVqNOgdsoUAOwmC/FivaeKvSTj8GD +0zcLwv3M6qRZJyKCQGBKb1nq11JpzpkJ41qMIRAOu1dO1vmcaApe7O59Y6LxseY7 +lLfotHx4bKCzosVBJyyXbsGZkdnbnIHI4SQLXGlnPtWE82qYkVc= +=ybyF +-----END PGP SIGNATURE----- diff --git a/static/allowed_signers.sig b/static/allowed_signers.sig new file mode 100644 index 00000000..4792799b --- /dev/null +++ b/static/allowed_signers.sig @@ -0,0 +1,2 @@ +untrusted comment: verify with factory.pub +RWQZW9NItOuQYA+Rim+poiDbYOb1fwiBP5iNXqWc62wc1d/blJH3GwosSRLN77WE51WT0GhHOru1gRwcgf4AWVzWnn20I28X5QY= diff --git a/static/build.html b/static/build.html index a56bb14e..752b2934 100644 --- a/static/build.html +++ b/static/build.html @@ -351,10 +351,18 @@ repo sync -j16 cd grapheneos-TAG_NAME repo init -u https://github.com/GrapheneOS/platform_manifest.git -b refs/tags/TAG_NAME +
Obtain GPG public key for verifying tags before 2023-01-05:
+ +gpg --recv-keys 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A+ +
Obtain SSH public key for verifying tags after 2023-01-05:
+ +curl https://grapheneos.org/allowed_signers > ~/.ssh/grapheneos_allowed_signers+
Verify the manifest:
-gpg --recv-keys 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A -cd .repo/manifests +cd .repo/manifests +git config gpg.ssh.allowedSignersFile ~/.ssh/grapheneos_allowed_signers git verify-tag $(git describe) cd ../..