diff options
Diffstat (limited to 'certs/gencerts.sh')
| -rwxr-xr-x | certs/gencerts.sh | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/certs/gencerts.sh b/certs/gencerts.sh index dec0860..e129733 100755 --- a/certs/gencerts.sh +++ b/certs/gencerts.sh @@ -71,84 +71,83 @@ allfpr() { $(x509fpr 'lists.fripost.org:443 (list manager)') $(x509fpr 'git.fripost.org:443 (git server and its web interface)') * SSH server $(sshfpr 'gitolite@git.fripost.org:22') EOF } [ $# -eq 1 ] || usage asc="$1" asc2=$(mktemp --tmpdir) src=$(mktemp --tmpdir) src2=$(mktemp --tmpdir) mdwn="${asc%.asc}.mdwn" mdwn2=$(mktemp --tmpdir) DIR="$(dirname "$0")/public" +VCS_BROWSER='https://git.fripost.org/fripost-ansible' trap 'rm -f "$src" "$src2" "$asc2" "$mdwn2"' EXIT if [ -s "$asc" ]; then "$GPG" $GPG_OPTS --logger-file=/dev/null --output="$src" -- "$asc" fi # Generate ASCII file to be clearsigned cat >"$src2" << EOF The following is an up-to date list of SHA-1 and SHA-256 fingerprints of all X.509 certificates Fripost uses on its publicly available services. Please consider any mismatch as a man-in-the-middle attack, and let us know immediately! -- admin@fripost.org All our X.509 certificates are available in PEM format under - https://git.fripost.org/fripost-ansible/tree/certs/public , + $VCS_BROWSER/tree/certs/public , Git repository from which this fingerprint list was generated, at commit ID $(git --no-pager --git-dir="$DIR/../../.git" --work-tree="$DIR" log -1 --pretty=format:'%h from %aD' -- "$DIR"). EOF allfpr asc >>"$src2" # Generate markdown file cat >"$mdwn2" << EOF # Certificates at Fripost The following is an up-to date list of SHA-1 and SHA-256 fingerprints of all X.509 certificates Fripost uses on its publicly available services. Please consider any mismatch as a man-in-the-middle attack, and let us know immediately! (See also the [[signed version of this page|certs.asc]].) -- [[admin@fripost.org|mailto:admin@fripost.org]] All our X.509 certificates are available in PEM format under our -[[Git repository|https://git.fripost.org/fripost-ansible/tree/certs/public]], -from which this fingerprint list was -[[generated|https://git.fripost.org/fripost-ansible/tree/certs/gencerts.sh]], -at $(git --no-pager --git-dir="$DIR/../../.git" --work-tree="$DIR" log -1 \ ---pretty=format:'[[Commit ID %h from %aD|https://git.fripost.org/fripost-ansible/tree/certs/public?id=%H]]' -- "$DIR"). +[[Git repository|$VCS_BROWSER/tree/certs/public]], +from which this fingerprint list was [[generated|$VCS_BROWSER/tree/certs/gencerts.sh]], at +$(git --no-pager --git-dir="$DIR/../../.git" --work-tree="$DIR" log -1 --pretty=format:"[[Commit ID %h from %aD|$VCS_BROWSER/tree/certs/public?id=%H]]" -- "$DIR"). EOF allfpr mdwn >>"$mdwn2" tee -a "$src2" >> "$mdwn2" << EOF If your SSL/TLS-capable client is able to validate the public key fingerprint of the remote peer certificate, then you should probably use this (the above values prefixed with "PKey") instead of the fingerprint of the certificate instead (the above values prefixed with "X.509"), since the former typically doesn't change upon certificate renewal. EOF echo >>"$src2" if diff -u --label "a/${asc%.asc}" --label "b/${asc%.asc}" -- "$src" "$src2" && diff -q -- "$mdwn" "$mdwn2" >/dev/null; then echo 'The fingerprint list is up to date.' else |