mirror of
https://github.com/TrustTunnel/TrustTunnel.git
synced 2026-07-09 17:18:36 +00:00
Pull request 149: Add GPG signing of trusttunnel binaries
Squashed commit of the following:
commit eecd19ff9342b9b921c0b18791bdd30db96adb17
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date: Tue Feb 3 19:42:26 2026 +0300
Add GPG signing of trusttunnel binaries
This commit is contained in:
parent
e19c586adb
commit
a5c0a99a14
4 changed files with 84 additions and 2 deletions
|
|
@ -1,5 +1,7 @@
|
|||
# CHANGELOG
|
||||
|
||||
- [Feature] Added GPG signing of the endpoint binaries.
|
||||
|
||||
## 0.9.122
|
||||
|
||||
- Endpoint now requires credentials when listening on a public address.
|
||||
|
|
|
|||
|
|
@ -368,6 +368,7 @@ sudo ./trusttunnel_client -c trusttunnel_client.toml
|
|||
- [DEVELOPMENT.md](DEVELOPMENT.md) - Development documentation
|
||||
- [PROTOCOL.md](PROTOCOL.md) - Protocol specification
|
||||
- [CHANGELOG.md](CHANGELOG.md) - Changelog
|
||||
- [VERIFY_RELEASES.md](VERIFY_RELEASES.md) - How to verify releases
|
||||
|
||||
## Roadmap
|
||||
|
||||
|
|
|
|||
51
VERIFY_RELEASES.md
Normal file
51
VERIFY_RELEASES.md
Normal file
|
|
@ -0,0 +1,51 @@
|
|||
# Verifying TrustTunnel Releases
|
||||
|
||||
Since TrustTunnel v0.9.126 we sign the executable files we build so that you can verify they are really created by us and no one else. Inside an archive file there's a small file with .sig extension which contains the signature data. In a hypothetic situation when the binary file inside an archive is replaced by someone, you'll know that it isn't an official release from AdGuard.
|
||||
|
||||
## How to verify that the executable file was built by AdGuard?
|
||||
|
||||
1. Unpack the TrustTunnel archive file.
|
||||
2. Import TrustTunnel public key from keyserver. For current release, run:
|
||||
|
||||
```text
|
||||
gpg --keyserver 'keys.openpgp.org' --recv-key '28645AC9776EC4C00BCE2AFC0FE641E7235E2EC6'
|
||||
```
|
||||
|
||||
The above command will print something similar to:
|
||||
|
||||
```text
|
||||
gpg: key 0FE641E7235E2EC6: public key "AdGuard <devteam@adguard.com>" imported
|
||||
gpg: Total number processed: 1
|
||||
gpg: imported: 1
|
||||
```
|
||||
|
||||
3. Verify. On Unix:
|
||||
|
||||
```text
|
||||
gpg --verify trusttunnel/setup_wizard.sig
|
||||
gpg --verify trusttunnel/trusttunnel_endpoint.sig
|
||||
```
|
||||
|
||||
You'll see something like this:
|
||||
|
||||
```text
|
||||
gpg: assuming signed data in 'trusttunnel'
|
||||
gpg: Signature made Mon 2 Feb 2026 19:30:55 MSK
|
||||
gpg: using RSA key 28645AC9776EC4C00BCE2AFC0FE641E7235E2EC6
|
||||
gpg: issuer "devteam@adguard.com"
|
||||
gpg: Good signature from "AdGuard <devteam@adguard.com>" [ultimate]
|
||||
```
|
||||
|
||||
Check the following:
|
||||
|
||||
- RSA key: must be 28645AC9776EC4C00BCE2AFC0FE641E7235E2EC6;
|
||||
- Issuer name: must be AdGuard;
|
||||
- E-mail address: must be devteam@adguard.com.
|
||||
|
||||
There may also be the following warning:
|
||||
|
||||
```text
|
||||
gpg: WARNING: The key's User ID is not certified with a trusted signature!
|
||||
gpg: There is no indication that the signature belongs to the owner.
|
||||
Primary key fingerprint: 2864 5AC9 776E C4C0 0BCE 2AFC 0FE6 41E7 235E 2EC6
|
||||
```
|
||||
|
|
@ -60,6 +60,12 @@ Build on Linux:
|
|||
|
||||
mkdir -p build_linux
|
||||
VERSION=$(cat endpoint/Cargo.toml | grep "version = " | head -n 1 | sed -e 's/version = "\(.*\)"/\1/')
|
||||
|
||||
# Set up GPG for signing binaries
|
||||
GPG_KEY=devteam@adguard.com
|
||||
echo "${bamboo.gpgSecretKeyPart1}${bamboo.gpgSecretKeyPart2}"\
|
||||
| awk '{ gsub(/\\n/, "\n"); print; }'\
|
||||
| gpg --import --batch --yes
|
||||
|
||||
pushd target/aarch64-unknown-linux-musl/release/
|
||||
llvm-objcopy --only-keep-debug trusttunnel_endpoint trusttunnel_endpoint.debug
|
||||
|
|
@ -70,8 +76,19 @@ Build on Linux:
|
|||
llvm-objcopy --add-gnu-debuglink=setup_wizard.debug setup_wizard
|
||||
cp ${ENDPOINT_ROOT}/LICENSE .
|
||||
cp ${ENDPOINT_ROOT}/scripts/trusttunnel.service.template .
|
||||
# Sign binaries with GPG
|
||||
gpg --default-key "${GPG_KEY}" \
|
||||
--detach-sig \
|
||||
--passphrase "${bamboo.gpgPassword}" \
|
||||
--pinentry-mode loopback \
|
||||
trusttunnel_endpoint
|
||||
gpg --default-key "${GPG_KEY}" \
|
||||
--detach-sig \
|
||||
--passphrase "${bamboo.gpgPassword}" \
|
||||
--pinentry-mode loopback \
|
||||
setup_wizard
|
||||
NAME=trusttunnel-v${VERSION}-linux-aarch64
|
||||
tar zcf ${NAME}.tar.gz --transform "s,^,${NAME}/," trusttunnel_endpoint setup_wizard LICENSE trusttunnel.service.template
|
||||
tar zcf ${NAME}.tar.gz --transform "s,^,${NAME}/," trusttunnel_endpoint trusttunnel_endpoint.sig setup_wizard setup_wizard.sig LICENSE trusttunnel.service.template
|
||||
mv ${NAME}.tar.gz ${ENDPOINT_ROOT}/build_linux
|
||||
|
||||
NAME_DBG=${NAME}-dbgsym
|
||||
|
|
@ -88,8 +105,19 @@ Build on Linux:
|
|||
llvm-objcopy --add-gnu-debuglink=setup_wizard.debug setup_wizard
|
||||
cp ${ENDPOINT_ROOT}/LICENSE .
|
||||
cp ${ENDPOINT_ROOT}/scripts/trusttunnel.service.template .
|
||||
# Sign binaries with GPG
|
||||
gpg --default-key "${GPG_KEY}" \
|
||||
--detach-sig \
|
||||
--passphrase "${bamboo.gpgPassword}" \
|
||||
--pinentry-mode loopback \
|
||||
trusttunnel_endpoint
|
||||
gpg --default-key "${GPG_KEY}" \
|
||||
--detach-sig \
|
||||
--passphrase "${bamboo.gpgPassword}" \
|
||||
--pinentry-mode loopback \
|
||||
setup_wizard
|
||||
NAME=trusttunnel-v${VERSION}-linux-x86_64
|
||||
tar zcf ${NAME}.tar.gz --transform "s,^,${NAME}/," trusttunnel_endpoint setup_wizard LICENSE trusttunnel.service.template
|
||||
tar zcf ${NAME}.tar.gz --transform "s,^,${NAME}/," trusttunnel_endpoint trusttunnel_endpoint.sig setup_wizard setup_wizard.sig LICENSE trusttunnel.service.template
|
||||
mv ${NAME}.tar.gz ${ENDPOINT_ROOT}/build_linux
|
||||
|
||||
NAME_DBG=${NAME}-dbgsym
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue