As per discussion at [1]. Patches attached.
Patch 1/3 adds /node_modules/ to .gitignore
Patch 2/3 adds the actual key and verification instructions
Patch 3/3 adds a prominent download link for the public key.
This might be bit obnoxious, but it was suggested in the original discussion.
[1]: https://ffmpeg.org/pipermail/ffmpeg-devel/2021-February/276752.html
>From 85401bda30c00bbf02807baed5557c2b81dfa578 Mon Sep 17 00:00:00 2001
From: Zane van Iperen <z...@zanevaniperen.com>
Date: Wed, 24 Feb 2021 12:38:20 +1000
Subject: [PATCH 1/3] gitignore: add /node_modules/
Signed-off-by: Zane van Iperen <z...@zanevaniperen.com>
---
.gitignore | 1 +
1 file changed, 1 insertion(+)
diff --git a/.gitignore b/.gitignore
index b215828..60a2b0a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@
/htdocs/components
/htdocs/style.less
/htdocs/fonts/*.woff2
+/node_modules/
--
2.29.2
>From 6bdae11e7d1f6af67c5d1120a83f461e24621502 Mon Sep 17 00:00:00 2001
From: Zane van Iperen <z...@zanevaniperen.com>
Date: Wed, 24 Feb 2021 12:33:08 +1000
Subject: [PATCH 2/3] web/download: add signing key and verification
instructions
As per discussion at https://ffmpeg.org/pipermail/ffmpeg-devel/2021-February/276752.html
Signed-off-by: Zane van Iperen <z...@zanevaniperen.com>
---
htdocs/ffmpeg-devel.asc | 30 ++++++++++++++++++++++++++++++
src/download | 34 ++++++++++++++++++++++++++++++++++
2 files changed, 64 insertions(+)
create mode 100644 htdocs/ffmpeg-devel.asc
diff --git a/htdocs/ffmpeg-devel.asc b/htdocs/ffmpeg-devel.asc
new file mode 100644
index 0000000..3a4d521
--- /dev/null
+++ b/htdocs/ffmpeg-devel.asc
@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBE22rV0BCAC3DzRmA2XlhrqYv9HKoEvNHHf+PzosmCTHmYhWHDqvBxPkSvCl
+ipkbvJ4pBnVvcX6mW5QyKhspHm5j1X5ibe9Bt9/chS/obnIobmvF8shSUgjQ0qRW
+9c1aWOjvT26SxYQ1y9TmYCFwixeydGFHYKjAim+evGUccni5KMlfPoT3VTPtim78
+ufkr3E9Nco/Mobn/8APO0NmLEGWAM6ln/8J/c9h6a1QKnQyBqWfT0YnAaebafFaZ
+YwOtRdDG54VbJ4xwcHbCj5cKhTABk/QtBzDvnW4bG+uSpqdHbFZEY2JpURDuj/T3
+NudKQGzn0bYNpY1XY2l0pqs/btKHnBW0fVMjABEBAAG0NEZGbXBlZyByZWxlYXNl
+IHNpZ25pbmcga2V5IDxmZm1wZWctZGV2ZWxAZmZtcGVnLm9yZz6JATgEEwECACIF
+Ak22rV0CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJELQyLwTWdljYKxUH
+/1fqzl7SKie2g4t4PJbqUbkLuMsC+CP6gp0dcVZOHkuUYAoD3PM3iVxpLBVyKIXI
+g7wMSTAtlIcYnzhWIpnoCBes6/O2Mrq6xHgGeTp6CDcm3LmmSYR1f5KdD8KUaA+l
+c/M/1fEnwrSs/UGDk6R6iUmbqwxPsbozlOvmUHOLbDZBnKrk9XfAJdUhAuFACrSA
+T+KF1jniz0OfNGd23SaHWRCphoRW9pXDc5FfkdaueBUvBvGv19ZNcDhcxT3/u6z2
+DaUFC0rLWqk8obo951jVvi/zOhB94Pw6u1SLvcTq3V1q5URWJtgSbpih9VRqxUbQ
+NbXduKGzbHz6Vwpkupz4JRe5AQ0ETbatXQEIANjYrygJi/fn1nlSg5Mz0l9KHDm4
+yfWtaOrXUjJcyiGe4G0XXJLGh45qxJ0DOKzi9id+9W4jby+kKuzG9O6Vn0iDeODO
+aOGnz4ua7Vu6d0AbYfNXZPWge/GCodo/ZD/qri1tPkLmRtT/sniahwy6LruPNHfF
+SRoNIjwbcD/IL+EbY1pL1/IFSzEAA1ZZamgmHgB7o9pwDIkK6HuvHMR/Y5MsoMfV
+fWV3ZGtA6v9z51CvnHsHPsADRSnUp7aYtR412SiAO4XodMLTA92L3LxgYhI4ma7D
+XZ8jgKg4JkKO+DXmoU63HtRdq/HZjeXJKk1JGJF3zCvP3DyIzZ8LWIjN8t0AEQEA
+AYkBHwQYAQIACQUCTbatXQIbDAAKCRC0Mi8E1nZY2LS8B/0bMoUAl4X9D0WQbL4l
+U0czCIOKOsvbHpIxivjCnOQxU23+PV5WZdoCCpSuAHGv+2OHzhNrij++P9BNTJeQ
+skxdS9FH4MZwy1IRSPrxegSxbCUpBI1rd0Zf7qb9BNPrHPTueWFV1uExOSB2Apsv
+WrKo2D8mR0uZAPYfYl2ToFVoa5PR7/+ii9WiJr/flF6qm7hoLpI5Bm4VcZh2GPsJ
+9Vo/8x/qOGwtdWHqBykYloKsrwD4U69rjn+d9feLoPBRgoVroXWQttt0sUnyoudz
++x8ETJgPoNK3kQoDagApj4qAt83Ayac3HzNIuEJ7LdvfINIOprujnJ9vH4n04XLg
+I4EZ
+=Rjbw
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/src/download b/src/download
index 3f0e4d2..b82f446 100644
--- a/src/download
+++ b/src/download
@@ -249,6 +249,40 @@
</div> <!-- table-responsive -->
<div></div>
+ <h4 id="release-verification">
+ <i class="fa fa-lock"></i>
+ Release Verification</h4>
+
+ <p>
+ All FFmpeg releases are cryptographically signed with
+ <a href="ffmpeg-devel.asc">our public PGP key</a> and should be verified for
+ authenticity.
+ </p>
+ <pre>pub rsa2048 2011-04-26 [SC]
+ FCF986EA15E6E293A5644F10B4322F04D67658D8
+uid [ full ] FFmpeg release signing key <ffmpeg-devel@ffmpeg.org>
+sub rsa2048 2011-04-26 [E]</pre>
+
+ <p>
+ To verify a release:
+ <ol>
+ <li>Import our public key into your local keyring:
+ <pre>$ curl https://ffmpeg.org/ffmpeg-devel.asc | gpg --import</pre>
+ </li>
+ <li>
+ Download a release tarball and its corresponding signature.
+ </li>
+ <li>
+ Verify the signature:
+ <pre>$ gpg --verify ffmpeg-4.3.2.tar.xz.asc ffmpeg-4.3.2.tar.xz
+gpg: Signature made Sun 21 Feb 2021 06:35:15 AEST
+gpg: using RSA key FCF986EA15E6E293A5644F10B4322F04D67658D8
+gpg: issuer "ffmpeg-devel@ffmpeg.org"
+gpg: Good signature from "FFmpeg release signing key <ffmpeg-devel@ffmpeg.org>" [full]</pre>
+ </li>
+ </ol>
+ </p>
+
<h4 id="releases">
<i class="fa fa-history"></i>
Releases</h4>
--
2.29.2
>From 1f6f170dd3a59b3e1bccd14c8c1b42e41448aaf1 Mon Sep 17 00:00:00 2001
From: Zane van Iperen <z...@zanevaniperen.com>
Date: Wed, 24 Feb 2021 13:45:42 +1000
Subject: [PATCH 3/3] web/download: add prominent signing key download link
Signed-off-by: Zane van Iperen <z...@zanevaniperen.com>
---
src/download | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/download b/src/download
index b82f446..a6483a6 100644
--- a/src/download
+++ b/src/download
@@ -5,6 +5,11 @@
<i class="fa fa-cloud-download"></i>
Download Source Code
<small>ffmpeg-snapshot.tar.bz2</small>
+ </a>
+ <a href="ffmpeg-devel.asc" class="btn btn-success">
+ <i class="fa fa-key"></i>
+ Download PGP Signing Key
+ <small>ffmpeg-devel.asc</small>
</a>
<br>
<a href="#releases">More releases</a>
--
2.29.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
