Last active
March 5, 2016 18:06
-
-
Save mtigas/0d49b42fab6f9d2f7e69 to your computer and use it in GitHub Desktop.
Some PGP-signed verification for various ProPublica TLS & Tor hidden service identities.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -----BEGIN PGP SIGNED MESSAGE----- | |
| Hash: SHA512 | |
| The following are the SSL certificate fingerprints for the | |
| following propublica.org servers as of 2016-03-05. | |
| CN or SAN: www.propublica.org | |
| Note: this domain is now served via the Fastly CDN, relying on shared SSL | |
| certificates. The www.propublica.org domain should be listed as a Subject | |
| Alternative Name on the certificate served by the CDN endpoint. | |
| CN or SAN: projects.propublica.org | |
| Note: this domain is now served via the Fastly CDN, relying on shared SSL | |
| certificates. The projects.propublica.org domain should be listed as a Subject | |
| Alternative Name on the certificate served by the CDN endpoint. | |
| CN or SAN: static.propublica.org | |
| notBefore=Jul 6 00:00:00 2015 GMT | |
| notAfter=Jul 5 23:59:59 2018 GMT | |
| SHA1 Fingerprint=30:27:56:F8:3A:A0:41:A0:4D:FE:7B:5F:9F:66:2A:83:3C:A8:40:7E | |
| SHA256 Fingerprint=28:18:04:0E:B0:1A:03:F8:AC:FC:A6:DA:89:37:3A:F5:C0:9A:1A:A7:16:0C:0F:33:15:2C:82:C7:F5:EB:6E:27 | |
| subject= /OU=Domain Control Validated/OU=PositiveSSL/CN=static.propublica.org | |
| DNS:static.propublica.org, DNS:www.static.propublica.org | |
| CN or SAN: securedrop.propublica.org | |
| notBefore=Mar 4 00:00:00 2016 GMT | |
| notAfter=Mar 9 12:00:00 2017 GMT | |
| SHA1 Fingerprint=96:18:71:C8:C4:26:6C:DE:89:97:63:5A:75:42:2F:0F:02:9C:18:30 | |
| SHA256 Fingerprint=E6:20:18:E1:65:68:60:07:37:F0:13:1C:BD:41:F8:5F:DF:59:C1:A3:40:4D:A4:BE:97:5E:E5:76:5F:53:CB:2A | |
| subject= /businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=4424721/street=Floor 13/street=155 Avenue of the Americas/postalCode=10013/C=US/ST=New York/L=New York/O=Pro Publica, Inc./CN=*.propub3r6espa33w.onion | |
| DNS:*.propub3r6espa33w.onion, DNS:propub3r6espa33w.onion, DNS:pubdrop4dw6rk3aq.onion, DNS:pubapp7v22ykdou3.onion, DNS:*.pubapp7v22ykdou3.onion, DNS:ppasset42kropoy6.onion, DNS:*.ppasset42kropoy6.onion, DNS:propublica.org, DNS:www.propublica.org, DNS:projects.propublica.org, DNS:securedrop.propublica.org, DNS:static.propublica.org, DNS:mail.propublica.org, DNS:mail2.propublica.org, DNS:webmail.propublica.org, DNS:webmail2.propublica.org, DNS:autodiscover.propublica.org | |
| CN or SAN: *.propub3r6espa33w.onion | |
| notBefore=Mar 4 00:00:00 2016 GMT | |
| notAfter=Mar 9 12:00:00 2017 GMT | |
| SHA1 Fingerprint=96:18:71:C8:C4:26:6C:DE:89:97:63:5A:75:42:2F:0F:02:9C:18:30 | |
| SHA256 Fingerprint=E6:20:18:E1:65:68:60:07:37:F0:13:1C:BD:41:F8:5F:DF:59:C1:A3:40:4D:A4:BE:97:5E:E5:76:5F:53:CB:2A | |
| subject= /businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=4424721/street=Floor 13/street=155 Avenue of the Americas/postalCode=10013/C=US/ST=New York/L=New York/O=Pro Publica, Inc./CN=*.propub3r6espa33w.onion | |
| DNS:*.propub3r6espa33w.onion, DNS:propub3r6espa33w.onion, DNS:pubdrop4dw6rk3aq.onion, DNS:pubapp7v22ykdou3.onion, DNS:*.pubapp7v22ykdou3.onion, DNS:ppasset42kropoy6.onion, DNS:*.ppasset42kropoy6.onion, DNS:propublica.org, DNS:www.propublica.org, DNS:projects.propublica.org, DNS:securedrop.propublica.org, DNS:static.propublica.org, DNS:mail.propublica.org, DNS:mail2.propublica.org, DNS:webmail.propublica.org, DNS:webmail2.propublica.org, DNS:autodiscover.propublica.org | |
| CN or SAN: pubapp7v22ykdou3.onion | |
| notBefore=Mar 4 00:00:00 2016 GMT | |
| notAfter=Mar 9 12:00:00 2017 GMT | |
| SHA1 Fingerprint=96:18:71:C8:C4:26:6C:DE:89:97:63:5A:75:42:2F:0F:02:9C:18:30 | |
| SHA256 Fingerprint=E6:20:18:E1:65:68:60:07:37:F0:13:1C:BD:41:F8:5F:DF:59:C1:A3:40:4D:A4:BE:97:5E:E5:76:5F:53:CB:2A | |
| subject= /businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=4424721/street=Floor 13/street=155 Avenue of the Americas/postalCode=10013/C=US/ST=New York/L=New York/O=Pro Publica, Inc./CN=*.propub3r6espa33w.onion | |
| DNS:*.propub3r6espa33w.onion, DNS:propub3r6espa33w.onion, DNS:pubdrop4dw6rk3aq.onion, DNS:pubapp7v22ykdou3.onion, DNS:*.pubapp7v22ykdou3.onion, DNS:ppasset42kropoy6.onion, DNS:*.ppasset42kropoy6.onion, DNS:propublica.org, DNS:www.propublica.org, DNS:projects.propublica.org, DNS:securedrop.propublica.org, DNS:static.propublica.org, DNS:mail.propublica.org, DNS:mail2.propublica.org, DNS:webmail.propublica.org, DNS:webmail2.propublica.org, DNS:autodiscover.propublica.org | |
| CN or SAN: ppasset42kropoy6.onion | |
| notBefore=Mar 4 00:00:00 2016 GMT | |
| notAfter=Mar 9 12:00:00 2017 GMT | |
| SHA1 Fingerprint=96:18:71:C8:C4:26:6C:DE:89:97:63:5A:75:42:2F:0F:02:9C:18:30 | |
| SHA256 Fingerprint=E6:20:18:E1:65:68:60:07:37:F0:13:1C:BD:41:F8:5F:DF:59:C1:A3:40:4D:A4:BE:97:5E:E5:76:5F:53:CB:2A | |
| subject= /businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=4424721/street=Floor 13/street=155 Avenue of the Americas/postalCode=10013/C=US/ST=New York/L=New York/O=Pro Publica, Inc./CN=*.propub3r6espa33w.onion | |
| DNS:*.propub3r6espa33w.onion, DNS:propub3r6espa33w.onion, DNS:pubdrop4dw6rk3aq.onion, DNS:pubapp7v22ykdou3.onion, DNS:*.pubapp7v22ykdou3.onion, DNS:ppasset42kropoy6.onion, DNS:*.ppasset42kropoy6.onion, DNS:propublica.org, DNS:www.propublica.org, DNS:projects.propublica.org, DNS:securedrop.propublica.org, DNS:static.propublica.org, DNS:mail.propublica.org, DNS:mail2.propublica.org, DNS:webmail.propublica.org, DNS:webmail2.propublica.org, DNS:autodiscover.propublica.org | |
| ============================== | |
| This message can be verified via the following PGP key, which can be | |
| corroborated on my ProPublica staff profile and other following links: | |
| pub 8192R/0xA993E7156E0E9923 2013-07-19 [expires: 2018-01-03] | |
| Key fingerprint = 4034 E60A A782 7C5D F21A 89AA A993 E715 6E0E 9923 | |
| uid Mike Tigas <mike@tig.as> | |
| uid Mike Tigas <mike.tigas@propublica.org> | |
| sub 2048R/0x641D4E3AA7F9FB72 2015-03-12 [expires: 2018-01-03] | |
| Key fingerprint = DEEF 6A2C 795F 11D0 13E8 B17A 641D 4E3A A7F9 FB72 | |
| sub 2048R/0x8DE8FCA65410F8C4 2015-03-12 [expires: 2018-01-03] | |
| Key fingerprint = A577 FE9F 0CCA 8AC7 2845 A101 8DE8 FCA6 5410 F8C4 | |
| https://static.propublica.org/assets/pgp/mike_tigas-4034E60AA7827C5DF21A89AAA993E7156E0E9923.txt | |
| https://mike.tig.as/pubkey_6E0E9923.txt | |
| http://p80.pool.sks-keyservers.net/pks/lookup?op=get&search=0x4034E60AA7827C5DF21A89AAA993E7156E0E9923 | |
| https://www.propublica.org/site/author/mike_tigas | |
| https://mike.tig.as/ | |
| https://twitter.com/mtigas | |
| https://keybase.io/mtigas | |
| -----BEGIN PGP SIGNATURE----- | |
| Comment: This is a PGP signature. Read more about e-mail | |
| Comment: encryption & PGP signatures: https://mike.tig.as/pgp/ | |
| iQEcBAEBCgAGBQJW2yAZAAoJEGQdTjqn+ftyspcIAKy0cDGiJ3O0rhdw0IE+WgR3 | |
| Lo+jZMQf1BZY34JE5r2tMMvOsYOsq2eKyumze5mRHbxBU+n0O9tT6+hQ5cIJ5hUN | |
| 2fhqsxlZMRpa7MZZJMJK8d4HfmY2XeyPawgsTmKkWA8rrLQ8GeWafB8Y/FbrBen6 | |
| QxPMBi5L8f9XMy8UD67RTqlfx+v54QlEMnPKEP87Qww7lrdb1b4hnc5yS1W6yPX5 | |
| OsnHdOD7I1SSdGRBdp20NYPdmkd3/AoXUUDo422IqC4Eep845zBPDbYxMUgWB8kX | |
| bSrpKcVIZCeUQ69tQd61RkSya7xlv8j7uyRPtYSvd+cZ3aK00rcFFROffucZ5Pk= | |
| =ZBI0 | |
| -----END PGP SIGNATURE----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -----BEGIN PGP SIGNED MESSAGE----- | |
| Hash: SHA512 | |
| As of January 11, 2016, these four ProPublica domains | |
| are mirrored by "propub3r6espa33w.onion", under the following | |
| subdomains: | |
| www.propublica.org | www.propub3r6espa33w.onion | |
| projects.propublica.org | projects.propub3r6espa33w.onion | |
| static.propublica.org | static.propub3r6espa33w.onion | |
| cdn.propublica.net | cdn.propub3r6espa33w.onion | |
| (The first three used to be at propub3r6espa33w.onion, | |
| pubapp7v22ykdou3.onion, and ppasset42kropoy6.onion, respectively.) | |
| And our SecureDrop instance (info: https://securedrop.propublica.org/ | |
| and https://freedom.press/securedrop ) is located at: | |
| pubdrop4dw6rk3aq.onion | |
| This message can be verified via the following PGP key, which can be | |
| corroborated on my ProPublica staff profile and other following links: | |
| pub 8192R/0xA993E7156E0E9923 2013-07-19 [expires: 2018-01-03] | |
| Key fingerprint = 4034 E60A A782 7C5D F21A 89AA A993 E715 6E0E 9923 | |
| uid Mike Tigas <mike@tig.as> | |
| uid Mike Tigas <mike.tigas@propublica.org> | |
| sub 2048R/0x641D4E3AA7F9FB72 2015-03-12 [expires: 2018-01-03] | |
| Key fingerprint = DEEF 6A2C 795F 11D0 13E8 B17A 641D 4E3A A7F9 FB72 | |
| sub 2048R/0x8DE8FCA65410F8C4 2015-03-12 [expires: 2018-01-03] | |
| Key fingerprint = A577 FE9F 0CCA 8AC7 2845 A101 8DE8 FCA6 5410 F8C4 | |
| https://static.propublica.org/assets/pgp/mike_tigas-4034E60AA7827C5DF21A89AAA993E7156E0E9923.txt | |
| https://mike.tig.as/pubkey_6E0E9923.txt | |
| http://p80.pool.sks-keyservers.net/pks/lookup?op=get&search=0x4034E60AA7827C5DF21A89AAA993E7156E0E9923 | |
| https://www.propublica.org/site/author/mike_tigas | |
| https://mike.tig.as/ | |
| https://twitter.com/mtigas | |
| https://keybase.io/mtigas | |
| -----BEGIN PGP SIGNATURE----- | |
| iQEcBAEBCgAGBQJWlEJWAAoJEGQdTjqn+ftyvDQH/jq/Y6OtncP5u5jt7dK1OIvt | |
| X81YhrUcQOFroVD5xtNwB/a6qCTC6JmK95riqcuel56y2DJbX3C1qB1YAOzpiw2g | |
| ghV3/HtiMIOYywXYhaZiWDgAWw95r/9IjJVIoL2DuN+QQT0yZgIyH2WKr/r3nocZ | |
| /HP7+EcFTRldhgW/sDmRN+PvmFGTr+5utJhmYD3E4Aj0b3ZlDqcOgDBtMoIAZ66X | |
| 9QIzTbsGhR02Tiz7En2JWHWocEdyoO+2nh9Zcs3EydbwJmnOBaRx8ecIy8ehVe4K | |
| 8cUMDcRTU0ptmMVxYBHxY6Uv6MMIwDsfuK3a45I8gBd7+ROOnN0eusSwY0U0Qdg= | |
| =uk13 | |
| -----END PGP SIGNATURE----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| export PATH=`brew --prefix curl`/bin:`brew --prefix openssl`/bin:`brew --prefix gnupg2`/bin:$PATH | |
| /usr/local/opt/curl/bin/curl -k -Lo /tmp/ca-bundle.crt https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt | |
| tee /tmp/certs.txt << EOF1 | |
| The following are the SSL certificate fingerprints for the | |
| following propublica.org servers as of `date +"%Y-%m-%d"`. | |
| CN or SAN: www.propublica.org | |
| Note: this domain is now served via the Fastly CDN, relying on shared SSL | |
| certificates. The www.propublica.org domain should be listed as a Subject | |
| Alternative Name on the certificate served by the CDN endpoint. | |
| CN or SAN: projects.propublica.org | |
| Note: this domain is now served via the Fastly CDN, relying on shared SSL | |
| certificates. The projects.propublica.org domain should be listed as a Subject | |
| Alternative Name on the certificate served by the CDN endpoint. | |
| EOF1 | |
| SITES="static.propublica.org securedrop.propublica.org" | |
| for SITE in ${SITES}; do | |
| echo -n | openssl s_client -connect ${SITE}:443 -servername ${SITE} -CAfile /tmp/ca-bundle.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/${SITE}.pem | |
| echo "CN or SAN: ${SITE}" >> /tmp/certs.txt | |
| openssl x509 -noout -in /tmp/${SITE}.pem -dates >> /tmp/certs.txt | |
| openssl x509 -noout -in /tmp/${SITE}.pem -fingerprint -sha1 >> /tmp/certs.txt | |
| openssl x509 -noout -in /tmp/${SITE}.pem -fingerprint -sha256 >> /tmp/certs.txt | |
| openssl x509 -noout -in /tmp/${SITE}.pem -fingerprint -subject | grep "subject" >> /tmp/certs.txt | |
| openssl x509 -noout -in /tmp/${SITE}.pem -fingerprint -text | grep "DNS" | sed -e 's/^[ \t]*//' >> /tmp/certs.txt | |
| echo "" >> /tmp/certs.txt | |
| done | |
| echo -n | openssl s_client -connect securedrop.propublica.org:443 -servername "www.propub3r6espa33w.onion" -CAfile /tmp/ca-bundle.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/propub3r6espa33w.onion.pem | |
| echo "CN or SAN: *.propub3r6espa33w.onion" >> /tmp/certs.txt | |
| openssl x509 -noout -in /tmp/propub3r6espa33w.onion.pem -dates >> /tmp/certs.txt | |
| openssl x509 -noout -in /tmp/propub3r6espa33w.onion.pem -fingerprint -sha1 >> /tmp/certs.txt | |
| openssl x509 -noout -in /tmp/propub3r6espa33w.onion.pem -fingerprint -sha256 >> /tmp/certs.txt | |
| openssl x509 -noout -in /tmp/propub3r6espa33w.onion.pem -fingerprint -subject | grep "subject" >> /tmp/certs.txt | |
| openssl x509 -noout -in /tmp/propub3r6espa33w.onion.pem -fingerprint -text | grep "DNS" | sed -e 's/^[ \t]*//' >> /tmp/certs.txt | |
| echo "" >> /tmp/certs.txt | |
| echo -n | openssl s_client -connect securedrop.propublica.org:443 -servername "pubapp7v22ykdou3.onion" -CAfile /tmp/ca-bundle.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/pubapp7v22ykdou3.onion.pem | |
| echo "CN or SAN: pubapp7v22ykdou3.onion" >> /tmp/certs.txt | |
| openssl x509 -noout -in /tmp/pubapp7v22ykdou3.onion.pem -dates >> /tmp/certs.txt | |
| openssl x509 -noout -in /tmp/pubapp7v22ykdou3.onion.pem -fingerprint -sha1 >> /tmp/certs.txt | |
| openssl x509 -noout -in /tmp/pubapp7v22ykdou3.onion.pem -fingerprint -sha256 >> /tmp/certs.txt | |
| openssl x509 -noout -in /tmp/pubapp7v22ykdou3.onion.pem -fingerprint -subject | grep "subject" >> /tmp/certs.txt | |
| openssl x509 -noout -in /tmp/pubapp7v22ykdou3.onion.pem -fingerprint -text | grep "DNS" | sed -e 's/^[ \t]*//' >> /tmp/certs.txt | |
| echo "" >> /tmp/certs.txt | |
| echo -n | openssl s_client -connect securedrop.propublica.org:443 -servername "ppasset42kropoy6.onion" -CAfile /tmp/ca-bundle.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/ppasset42kropoy6.onion.pem | |
| echo "CN or SAN: ppasset42kropoy6.onion" >> /tmp/certs.txt | |
| openssl x509 -noout -in /tmp/ppasset42kropoy6.onion.pem -dates >> /tmp/certs.txt | |
| openssl x509 -noout -in /tmp/ppasset42kropoy6.onion.pem -fingerprint -sha1 >> /tmp/certs.txt | |
| openssl x509 -noout -in /tmp/ppasset42kropoy6.onion.pem -fingerprint -sha256 >> /tmp/certs.txt | |
| openssl x509 -noout -in /tmp/ppasset42kropoy6.onion.pem -fingerprint -subject | grep "subject" >> /tmp/certs.txt | |
| openssl x509 -noout -in /tmp/ppasset42kropoy6.onion.pem -fingerprint -text | grep "DNS" | sed -e 's/^[ \t]*//' >> /tmp/certs.txt | |
| echo "" >> /tmp/certs.txt | |
| tee -a /tmp/certs.txt << EOF1 | |
| ============================== | |
| This message can be verified via the following PGP key, which can be | |
| corroborated on my ProPublica staff profile and other following links: | |
| pub 8192R/0xA993E7156E0E9923 2013-07-19 [expires: 2018-01-03] | |
| Key fingerprint = 4034 E60A A782 7C5D F21A 89AA A993 E715 6E0E 9923 | |
| uid Mike Tigas <mike@tig.as> | |
| uid Mike Tigas <mike.tigas@propublica.org> | |
| sub 2048R/0x641D4E3AA7F9FB72 2015-03-12 [expires: 2018-01-03] | |
| Key fingerprint = DEEF 6A2C 795F 11D0 13E8 B17A 641D 4E3A A7F9 FB72 | |
| sub 2048R/0x8DE8FCA65410F8C4 2015-03-12 [expires: 2018-01-03] | |
| Key fingerprint = A577 FE9F 0CCA 8AC7 2845 A101 8DE8 FCA6 5410 F8C4 | |
| https://static.propublica.org/assets/pgp/mike_tigas-4034E60AA7827C5DF21A89AAA993E7156E0E9923.txt | |
| https://mike.tig.as/pubkey_6E0E9923.txt | |
| http://p80.pool.sks-keyservers.net/pks/lookup?op=get&search=0x4034E60AA7827C5DF21A89AAA993E7156E0E9923 | |
| https://www.propublica.org/site/author/mike_tigas | |
| https://mike.tig.as/ | |
| https://twitter.com/mtigas | |
| https://keybase.io/mtigas | |
| EOF1 | |
| rm /tmp/certs.txt.asc | |
| gpg --clearsign -u 0x4034E60AA7827C5DF21A89AAA993E7156E0E9923 /tmp/certs.txt | |
| cat /tmp/certs.txt.asc |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment