blob: 3cf202a7a593f030ff9607c9641010f30d290b79 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
#!/usr/bin/env bash
cat <<EOT > signatures.txt
---
---
LEDE Public Keys
================
== LEDE Public Keys
This page lists the fingerprints of all public keys in use by the LEDE project
and is automatically generated from the developer keys present in the
https://git.lede-project.org/?p=keyring.git[keyring.git] repository.
Refer to our link:signing.html[signing documentation page] to learn more about
file verification and key generation.
EOT
mkdir -p "tmp.$$/gpg" || {
echo "Canot create temporary directory." >&2
exit 1
}
trap "rm -fr tmp.$$" INT TERM
git clone https://git.lede-project.org/keyring.git "tmp.$$/git"
cat <<EOT >> signatures.txt
=== GnuPG key fingerprints
GnuPG keys are mainly used to verify the integrity of firmware image downloads.
Signature verification ensures that image downloads have not been tampered with
and that the third-party download mirrors serve genuine content.
EOT
format_key() {
output=""
while read field rest; do
case $field in
uid)
output="User ID: $(echo "$rest" | sed -e 's/([^()]*) //; s/@/ -at- /; s/^\(.*\) </*\1* </') +\n$output"
;;
pub|sub)
oIFS="$IFS"; IFS=" /]"; set -- $rest; IFS="$oIFS"
type="$1"; keyid="$2"; created="$3"; expires="$5"
case $field in
pub) output="${output}Public Key: " ;;
sub) output="${output}Signing Subkey: " ;;
esac
output="${output}*0x$keyid* ("
case $type in
*[rR]) output="${output}${type%[rR]} Bit RSA" ;;
*[dD]) output="${output}${type%[dD]} Bit DSA" ;;
*[gG]) output="${output}${type%[gG]} Bit ElGamal" ;;
esac
output="${output}, created $created${expires:+, expires $expires}) +\n";
;;
Key)
fingerprint="${rest##* = }"
output="${output}Fingerprint: +$fingerprint+ +\n"
;;
esac
done
printf "$output"
}
grep -rE "^Comment: " "tmp.$$/git/gpg"/*.asc | \
sed -e 's!^\([^:]*\):Comment: \(.*\)$!\2|\1!' | \
sort | \
while read line; do
keyfile="${line##*|}"
comment="${line%|*}"
keyid=$(gpg --status-fd 1 --homedir "tmp.$$/gpg" --import "$keyfile" 2>/dev/null | \
sed -ne 's!^.* IMPORTED \([A-F0-9]\+\) .*$!\1!p')
relfile="gpg/${keyfile##*/gpg/}"
modtime="$(cd "tmp.$$/git/"; git log -1 --format="%ci" -- "$relfile")"
{
cat <<-EOT
---
==== $comment
$(gpg --homedir "tmp.$$/gpg" --fingerprint --fingerprint "$keyid" 2>/dev/null | format_key)
[small]#https://git.lede-project.org/?p=keyring.git;a=history;f=$relfile[Last change: $modtime] | https://git.lede-project.org/?p=keyring.git;a=blob_plain;f=$relfile[Download]#
EOT
} >> signatures.txt
done
cat <<EOT >> signatures.txt
=== _usign_ public keys
The _usign_ EC keys are used to sign repository indexes in order to ensure that
packages fetched and installed via _opkg_ are unmodified and genuine.
Those keys are usually installed by default and bundled as
https://git.lede-project.org/?p=source.git;a=tree;f=package/system/lede-keyring[lede-keyring]
package.
EOT
grep -rE "^untrusted comment: " "tmp.$$/git/usign"/[a-f0-9]* | \
sed -e 's!^\([^:]*\):untrusted comment: \(.*\)$!\2|\1!' | \
sort | \
while read line; do
keyfile="${line##*|}"
comment="${line%|*}"
relfile="usign/${keyfile##*/usign/}"
modtime="$(cd "tmp.$$/git/"; git log -1 --format="%ci" -- "$relfile")"
{
cat <<-EOT
---
==== $comment
* Key-ID: +${keyfile##*/}+
* Key-Data: +$(grep -vE "^untrusted comment: " "$keyfile")+
[small]#https://git.lede-project.org/?p=keyring.git;a=history;f=$relfile[Last change: $modtime] | https://git.lede-project.org/?p=keyring.git;a=blob_plain;f=$relfile[Download]#
EOT
} >> signatures.txt
done
rm -fr "tmp.$$"
|
