Pull request 149: Add GPG signing of trusttunnel binaries

Squashed commit of the following:

commit eecd19ff9342b9b921c0b18791bdd30db96adb17
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date:   Tue Feb 3 19:42:26 2026 +0300

    Add GPG signing of trusttunnel binaries
This commit is contained in:
Aleksei Zhavoronkov 2026-02-09 07:03:34 +00:00
parent e19c586adb
commit a5c0a99a14
4 changed files with 84 additions and 2 deletions

View file

@ -1,5 +1,7 @@
# CHANGELOG
- [Feature] Added GPG signing of the endpoint binaries.
## 0.9.122
- Endpoint now requires credentials when listening on a public address.

View file

@ -368,6 +368,7 @@ sudo ./trusttunnel_client -c trusttunnel_client.toml
- [DEVELOPMENT.md](DEVELOPMENT.md) - Development documentation
- [PROTOCOL.md](PROTOCOL.md) - Protocol specification
- [CHANGELOG.md](CHANGELOG.md) - Changelog
- [VERIFY_RELEASES.md](VERIFY_RELEASES.md) - How to verify releases
## Roadmap

51
VERIFY_RELEASES.md Normal file
View file

@ -0,0 +1,51 @@
# Verifying TrustTunnel Releases
Since TrustTunnel v0.9.126 we sign the executable files we build so that you can verify they are really created by us and no one else. Inside an archive file there's a small file with .sig extension which contains the signature data. In a hypothetic situation when the binary file inside an archive is replaced by someone, you'll know that it isn't an official release from AdGuard.
## How to verify that the executable file was built by AdGuard?
1. Unpack the TrustTunnel archive file.
2. Import TrustTunnel public key from keyserver. For current release, run:
```text
gpg --keyserver 'keys.openpgp.org' --recv-key '28645AC9776EC4C00BCE2AFC0FE641E7235E2EC6'
```
The above command will print something similar to:
```text
gpg: key 0FE641E7235E2EC6: public key "AdGuard <devteam@adguard.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
```
3. Verify. On Unix:
```text
gpg --verify trusttunnel/setup_wizard.sig
gpg --verify trusttunnel/trusttunnel_endpoint.sig
```
You'll see something like this:
```text
gpg: assuming signed data in 'trusttunnel'
gpg: Signature made Mon 2 Feb 2026 19:30:55 MSK
gpg: using RSA key 28645AC9776EC4C00BCE2AFC0FE641E7235E2EC6
gpg: issuer "devteam@adguard.com"
gpg: Good signature from "AdGuard <devteam@adguard.com>" [ultimate]
```
Check the following:
- RSA key: must be 28645AC9776EC4C00BCE2AFC0FE641E7235E2EC6;
- Issuer name: must be AdGuard;
- E-mail address: must be devteam@adguard.com.
There may also be the following warning:
```text
gpg: WARNING: The key's User ID is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2864 5AC9 776E C4C0 0BCE 2AFC 0FE6 41E7 235E 2EC6
```

View file

@ -60,6 +60,12 @@ Build on Linux:
mkdir -p build_linux
VERSION=$(cat endpoint/Cargo.toml | grep "version = " | head -n 1 | sed -e 's/version = "\(.*\)"/\1/')
# Set up GPG for signing binaries
GPG_KEY=devteam@adguard.com
echo "${bamboo.gpgSecretKeyPart1}${bamboo.gpgSecretKeyPart2}"\
| awk '{ gsub(/\\n/, "\n"); print; }'\
| gpg --import --batch --yes
pushd target/aarch64-unknown-linux-musl/release/
llvm-objcopy --only-keep-debug trusttunnel_endpoint trusttunnel_endpoint.debug
@ -70,8 +76,19 @@ Build on Linux:
llvm-objcopy --add-gnu-debuglink=setup_wizard.debug setup_wizard
cp ${ENDPOINT_ROOT}/LICENSE .
cp ${ENDPOINT_ROOT}/scripts/trusttunnel.service.template .
# Sign binaries with GPG
gpg --default-key "${GPG_KEY}" \
--detach-sig \
--passphrase "${bamboo.gpgPassword}" \
--pinentry-mode loopback \
trusttunnel_endpoint
gpg --default-key "${GPG_KEY}" \
--detach-sig \
--passphrase "${bamboo.gpgPassword}" \
--pinentry-mode loopback \
setup_wizard
NAME=trusttunnel-v${VERSION}-linux-aarch64
tar zcf ${NAME}.tar.gz --transform "s,^,${NAME}/," trusttunnel_endpoint setup_wizard LICENSE trusttunnel.service.template
tar zcf ${NAME}.tar.gz --transform "s,^,${NAME}/," trusttunnel_endpoint trusttunnel_endpoint.sig setup_wizard setup_wizard.sig LICENSE trusttunnel.service.template
mv ${NAME}.tar.gz ${ENDPOINT_ROOT}/build_linux
NAME_DBG=${NAME}-dbgsym
@ -88,8 +105,19 @@ Build on Linux:
llvm-objcopy --add-gnu-debuglink=setup_wizard.debug setup_wizard
cp ${ENDPOINT_ROOT}/LICENSE .
cp ${ENDPOINT_ROOT}/scripts/trusttunnel.service.template .
# Sign binaries with GPG
gpg --default-key "${GPG_KEY}" \
--detach-sig \
--passphrase "${bamboo.gpgPassword}" \
--pinentry-mode loopback \
trusttunnel_endpoint
gpg --default-key "${GPG_KEY}" \
--detach-sig \
--passphrase "${bamboo.gpgPassword}" \
--pinentry-mode loopback \
setup_wizard
NAME=trusttunnel-v${VERSION}-linux-x86_64
tar zcf ${NAME}.tar.gz --transform "s,^,${NAME}/," trusttunnel_endpoint setup_wizard LICENSE trusttunnel.service.template
tar zcf ${NAME}.tar.gz --transform "s,^,${NAME}/," trusttunnel_endpoint trusttunnel_endpoint.sig setup_wizard setup_wizard.sig LICENSE trusttunnel.service.template
mv ${NAME}.tar.gz ${ENDPOINT_ROOT}/build_linux
NAME_DBG=${NAME}-dbgsym