As per discussion at [1]. Patches attached. Patch 1/3 adds /node_modules/ to .gitignore
Patch 2/3 adds the actual key and verification instructions Patch 3/3 adds a prominent download link for the public key. This might be bit obnoxious, but it was suggested in the original discussion. [1]: https://ffmpeg.org/pipermail/ffmpeg-devel/2021-February/276752.html
>From 85401bda30c00bbf02807baed5557c2b81dfa578 Mon Sep 17 00:00:00 2001 From: Zane van Iperen <z...@zanevaniperen.com> Date: Wed, 24 Feb 2021 12:38:20 +1000 Subject: [PATCH 1/3] gitignore: add /node_modules/ Signed-off-by: Zane van Iperen <z...@zanevaniperen.com> --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index b215828..60a2b0a 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ /htdocs/components /htdocs/style.less /htdocs/fonts/*.woff2 +/node_modules/ -- 2.29.2
>From 6bdae11e7d1f6af67c5d1120a83f461e24621502 Mon Sep 17 00:00:00 2001 From: Zane van Iperen <z...@zanevaniperen.com> Date: Wed, 24 Feb 2021 12:33:08 +1000 Subject: [PATCH 2/3] web/download: add signing key and verification instructions As per discussion at https://ffmpeg.org/pipermail/ffmpeg-devel/2021-February/276752.html Signed-off-by: Zane van Iperen <z...@zanevaniperen.com> --- htdocs/ffmpeg-devel.asc | 30 ++++++++++++++++++++++++++++++ src/download | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 htdocs/ffmpeg-devel.asc diff --git a/htdocs/ffmpeg-devel.asc b/htdocs/ffmpeg-devel.asc new file mode 100644 index 0000000..3a4d521 --- /dev/null +++ b/htdocs/ffmpeg-devel.asc @@ -0,0 +1,30 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBE22rV0BCAC3DzRmA2XlhrqYv9HKoEvNHHf+PzosmCTHmYhWHDqvBxPkSvCl +ipkbvJ4pBnVvcX6mW5QyKhspHm5j1X5ibe9Bt9/chS/obnIobmvF8shSUgjQ0qRW +9c1aWOjvT26SxYQ1y9TmYCFwixeydGFHYKjAim+evGUccni5KMlfPoT3VTPtim78 +ufkr3E9Nco/Mobn/8APO0NmLEGWAM6ln/8J/c9h6a1QKnQyBqWfT0YnAaebafFaZ +YwOtRdDG54VbJ4xwcHbCj5cKhTABk/QtBzDvnW4bG+uSpqdHbFZEY2JpURDuj/T3 +NudKQGzn0bYNpY1XY2l0pqs/btKHnBW0fVMjABEBAAG0NEZGbXBlZyByZWxlYXNl +IHNpZ25pbmcga2V5IDxmZm1wZWctZGV2ZWxAZmZtcGVnLm9yZz6JATgEEwECACIF +Ak22rV0CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJELQyLwTWdljYKxUH +/1fqzl7SKie2g4t4PJbqUbkLuMsC+CP6gp0dcVZOHkuUYAoD3PM3iVxpLBVyKIXI +g7wMSTAtlIcYnzhWIpnoCBes6/O2Mrq6xHgGeTp6CDcm3LmmSYR1f5KdD8KUaA+l +c/M/1fEnwrSs/UGDk6R6iUmbqwxPsbozlOvmUHOLbDZBnKrk9XfAJdUhAuFACrSA +T+KF1jniz0OfNGd23SaHWRCphoRW9pXDc5FfkdaueBUvBvGv19ZNcDhcxT3/u6z2 +DaUFC0rLWqk8obo951jVvi/zOhB94Pw6u1SLvcTq3V1q5URWJtgSbpih9VRqxUbQ +NbXduKGzbHz6Vwpkupz4JRe5AQ0ETbatXQEIANjYrygJi/fn1nlSg5Mz0l9KHDm4 +yfWtaOrXUjJcyiGe4G0XXJLGh45qxJ0DOKzi9id+9W4jby+kKuzG9O6Vn0iDeODO +aOGnz4ua7Vu6d0AbYfNXZPWge/GCodo/ZD/qri1tPkLmRtT/sniahwy6LruPNHfF +SRoNIjwbcD/IL+EbY1pL1/IFSzEAA1ZZamgmHgB7o9pwDIkK6HuvHMR/Y5MsoMfV +fWV3ZGtA6v9z51CvnHsHPsADRSnUp7aYtR412SiAO4XodMLTA92L3LxgYhI4ma7D +XZ8jgKg4JkKO+DXmoU63HtRdq/HZjeXJKk1JGJF3zCvP3DyIzZ8LWIjN8t0AEQEA +AYkBHwQYAQIACQUCTbatXQIbDAAKCRC0Mi8E1nZY2LS8B/0bMoUAl4X9D0WQbL4l +U0czCIOKOsvbHpIxivjCnOQxU23+PV5WZdoCCpSuAHGv+2OHzhNrij++P9BNTJeQ +skxdS9FH4MZwy1IRSPrxegSxbCUpBI1rd0Zf7qb9BNPrHPTueWFV1uExOSB2Apsv +WrKo2D8mR0uZAPYfYl2ToFVoa5PR7/+ii9WiJr/flF6qm7hoLpI5Bm4VcZh2GPsJ +9Vo/8x/qOGwtdWHqBykYloKsrwD4U69rjn+d9feLoPBRgoVroXWQttt0sUnyoudz ++x8ETJgPoNK3kQoDagApj4qAt83Ayac3HzNIuEJ7LdvfINIOprujnJ9vH4n04XLg +I4EZ +=Rjbw +-----END PGP PUBLIC KEY BLOCK----- diff --git a/src/download b/src/download index 3f0e4d2..b82f446 100644 --- a/src/download +++ b/src/download @@ -249,6 +249,40 @@ </div> <!-- table-responsive --> <div></div> + <h4 id="release-verification"> + <i class="fa fa-lock"></i> + Release Verification</h4> + + <p> + All FFmpeg releases are cryptographically signed with + <a href="ffmpeg-devel.asc">our public PGP key</a> and should be verified for + authenticity. + </p> + <pre>pub rsa2048 2011-04-26 [SC] + FCF986EA15E6E293A5644F10B4322F04D67658D8 +uid [ full ] FFmpeg release signing key <ffmpeg-devel@ffmpeg.org> +sub rsa2048 2011-04-26 [E]</pre> + + <p> + To verify a release: + <ol> + <li>Import our public key into your local keyring: + <pre>$ curl https://ffmpeg.org/ffmpeg-devel.asc | gpg --import</pre> + </li> + <li> + Download a release tarball and its corresponding signature. + </li> + <li> + Verify the signature: + <pre>$ gpg --verify ffmpeg-4.3.2.tar.xz.asc ffmpeg-4.3.2.tar.xz +gpg: Signature made Sun 21 Feb 2021 06:35:15 AEST +gpg: using RSA key FCF986EA15E6E293A5644F10B4322F04D67658D8 +gpg: issuer "ffmpeg-devel@ffmpeg.org" +gpg: Good signature from "FFmpeg release signing key <ffmpeg-devel@ffmpeg.org>" [full]</pre> + </li> + </ol> + </p> + <h4 id="releases"> <i class="fa fa-history"></i> Releases</h4> -- 2.29.2
>From 1f6f170dd3a59b3e1bccd14c8c1b42e41448aaf1 Mon Sep 17 00:00:00 2001 From: Zane van Iperen <z...@zanevaniperen.com> Date: Wed, 24 Feb 2021 13:45:42 +1000 Subject: [PATCH 3/3] web/download: add prominent signing key download link Signed-off-by: Zane van Iperen <z...@zanevaniperen.com> --- src/download | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/download b/src/download index b82f446..a6483a6 100644 --- a/src/download +++ b/src/download @@ -5,6 +5,11 @@ <i class="fa fa-cloud-download"></i> Download Source Code <small>ffmpeg-snapshot.tar.bz2</small> + </a> + <a href="ffmpeg-devel.asc" class="btn btn-success"> + <i class="fa fa-key"></i> + Download PGP Signing Key + <small>ffmpeg-devel.asc</small> </a> <br> <a href="#releases">More releases</a> -- 2.29.2
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".