| |
#
|
| |
set -e
|
| |
|
| - |
# SSH signing key for the release archives. This is currently cloudhead's key.
|
| - |
SIGNER="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL460KIEccS4881p7PPpiiQBsxF+H5tgC6De6crw9rbU"
|
| + |
# SSH signing key for the release archives. This is currently cloudhead and fintan's keys.
|
| + |
# FIXME: Technically, there should be a release signing key, with a shamir threshold of > 1, with the secret encrypted by something like SOPS.
|
| + |
CLOUDHEAD="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL460KIEccS4881p7PPpiiQBsxF+H5tgC6De6crw9rbU"
|
| + |
FINTAN="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFsaRqAJ1r6bBFwlcWzJKN7DdjItQDumCNc0wqw6Dvk"
|
| |
|
| |
url() {
|
| |
echo "https://files.radicle.xyz/releases/$1/radicle-$2.tar.xz"
|
| |
archive="$1"
|
| |
signers="$(dirname $archive)/signers"
|
| |
# Add the signer key to the allowed signers file we pass to ssh-keygen.
|
| - |
printf "cloudhead $SIGNER\n" > $signers
|
| + |
printf "radicle $FINTAN\n" > $signers
|
| + |
printf "radicle $CLOUDHEAD\n" >> $signers
|
| |
|
| |
# Verify that `$archive` was signed by a key in `$signers`, identified by the
|
| - |
# name "cloudhead", using the signature in `$archive.sig`.
|
| - |
ssh-keygen -Y verify -f $signers -I cloudhead -n file -s "$archive.sig" < "$archive" || fatal "Invalid signature for $archive"
|
| + |
# pattern "*@radicle.xyz", using the signature in `$archive.sig`.
|
| + |
ssh-keygen -Y verify -f $signers -I "radicle" -n file -s "$archive.sig" < "$archive" || fatal "Invalid signature for $archive"
|
| |
}
|
| |
|
| |
main() {
|