Skip to content

Instantly share code, notes, and snippets.

@mtigas

mtigas/1-tls

Last active March 5, 2016 18:06
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save mtigas/0d49b42fab6f9d2f7e69 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save mtigas/0d49b42fab6f9d2f7e69 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. mtigas revised this gist Mar 5, 2016. 2 changed files with 13 additions and 25 deletions.
    26 changes: 9 additions & 17 deletions 1-tls
    View file
    Original file line number Diff line number Diff line change
    @@ -17,50 +17,40 @@ Alternative Name on the certificate served by the CDN endpoint.
    CN or SAN: static.propublica.org
    notBefore=Jul 6 00:00:00 2015 GMT
    notAfter=Jul 5 23:59:59 2018 GMT
    MD5 Fingerprint=4D:62:83:50:09:9F:88:BF:79:C9:DA:6A:49:14:A7:7F
    SHA1 Fingerprint=30:27:56:F8:3A:A0:41:A0:4D:FE:7B:5F:9F:66:2A:83:3C:A8:40:7E
    SHA256 Fingerprint=28:18:04:0E:B0:1A:03:F8:AC:FC:A6:DA:89:37:3A:F5:C0:9A:1A:A7:16:0C:0F:33:15:2C:82:C7:F5:EB:6E:27
    SHA1 Fingerprint=30:27:56:F8:3A:A0:41:A0:4D:FE:7B:5F:9F:66:2A:83:3C:A8:40:7E
    subject= /OU=Domain Control Validated/OU=PositiveSSL/CN=static.propublica.org
    DNS:static.propublica.org, DNS:www.static.propublica.org

    CN or SAN: securedrop.propublica.org
    notBefore=Mar 4 00:00:00 2016 GMT
    notAfter=Mar 9 12:00:00 2017 GMT
    MD5 Fingerprint=C5:67:B6:98:8C:C2:F0:D0:EA:E9:66:D7:B2:34:C3:77
    SHA1 Fingerprint=96:18:71:C8:C4:26:6C:DE:89:97:63:5A:75:42:2F:0F:02:9C:18:30
    SHA256 Fingerprint=E6:20:18:E1:65:68:60:07:37:F0:13:1C:BD:41:F8:5F:DF:59:C1:A3:40:4D:A4:BE:97:5E:E5:76:5F:53:CB:2A
    SHA1 Fingerprint=96:18:71:C8:C4:26:6C:DE:89:97:63:5A:75:42:2F:0F:02:9C:18:30
    subject= /businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=4424721/street=Floor 13/street=155 Avenue of the Americas/postalCode=10013/C=US/ST=New York/L=New York/O=Pro Publica, Inc./CN=*.propub3r6espa33w.onion
    DNS:*.propub3r6espa33w.onion, DNS:propub3r6espa33w.onion, DNS:pubdrop4dw6rk3aq.onion, DNS:pubapp7v22ykdou3.onion, DNS:*.pubapp7v22ykdou3.onion, DNS:ppasset42kropoy6.onion, DNS:*.ppasset42kropoy6.onion, DNS:propublica.org, DNS:www.propublica.org, DNS:projects.propublica.org, DNS:securedrop.propublica.org, DNS:static.propublica.org, DNS:mail.propublica.org, DNS:mail2.propublica.org, DNS:webmail.propublica.org, DNS:webmail2.propublica.org, DNS:autodiscover.propublica.org

    CN or SAN: *.propub3r6espa33w.onion
    notBefore=Mar 4 00:00:00 2016 GMT
    notAfter=Mar 9 12:00:00 2017 GMT
    MD5 Fingerprint=C5:67:B6:98:8C:C2:F0:D0:EA:E9:66:D7:B2:34:C3:77
    SHA1 Fingerprint=96:18:71:C8:C4:26:6C:DE:89:97:63:5A:75:42:2F:0F:02:9C:18:30
    SHA256 Fingerprint=E6:20:18:E1:65:68:60:07:37:F0:13:1C:BD:41:F8:5F:DF:59:C1:A3:40:4D:A4:BE:97:5E:E5:76:5F:53:CB:2A
    SHA1 Fingerprint=96:18:71:C8:C4:26:6C:DE:89:97:63:5A:75:42:2F:0F:02:9C:18:30
    subject= /businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=4424721/street=Floor 13/street=155 Avenue of the Americas/postalCode=10013/C=US/ST=New York/L=New York/O=Pro Publica, Inc./CN=*.propub3r6espa33w.onion
    DNS:*.propub3r6espa33w.onion, DNS:propub3r6espa33w.onion, DNS:pubdrop4dw6rk3aq.onion, DNS:pubapp7v22ykdou3.onion, DNS:*.pubapp7v22ykdou3.onion, DNS:ppasset42kropoy6.onion, DNS:*.ppasset42kropoy6.onion, DNS:propublica.org, DNS:www.propublica.org, DNS:projects.propublica.org, DNS:securedrop.propublica.org, DNS:static.propublica.org, DNS:mail.propublica.org, DNS:mail2.propublica.org, DNS:webmail.propublica.org, DNS:webmail2.propublica.org, DNS:autodiscover.propublica.org

    CN or SAN: pubapp7v22ykdou3.onion
    notBefore=Mar 4 00:00:00 2016 GMT
    notAfter=Mar 9 12:00:00 2017 GMT
    MD5 Fingerprint=C5:67:B6:98:8C:C2:F0:D0:EA:E9:66:D7:B2:34:C3:77
    SHA1 Fingerprint=96:18:71:C8:C4:26:6C:DE:89:97:63:5A:75:42:2F:0F:02:9C:18:30
    SHA256 Fingerprint=E6:20:18:E1:65:68:60:07:37:F0:13:1C:BD:41:F8:5F:DF:59:C1:A3:40:4D:A4:BE:97:5E:E5:76:5F:53:CB:2A
    SHA1 Fingerprint=96:18:71:C8:C4:26:6C:DE:89:97:63:5A:75:42:2F:0F:02:9C:18:30
    subject= /businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=4424721/street=Floor 13/street=155 Avenue of the Americas/postalCode=10013/C=US/ST=New York/L=New York/O=Pro Publica, Inc./CN=*.propub3r6espa33w.onion
    DNS:*.propub3r6espa33w.onion, DNS:propub3r6espa33w.onion, DNS:pubdrop4dw6rk3aq.onion, DNS:pubapp7v22ykdou3.onion, DNS:*.pubapp7v22ykdou3.onion, DNS:ppasset42kropoy6.onion, DNS:*.ppasset42kropoy6.onion, DNS:propublica.org, DNS:www.propublica.org, DNS:projects.propublica.org, DNS:securedrop.propublica.org, DNS:static.propublica.org, DNS:mail.propublica.org, DNS:mail2.propublica.org, DNS:webmail.propublica.org, DNS:webmail2.propublica.org, DNS:autodiscover.propublica.org

    CN or SAN: ppasset42kropoy6.onion
    notBefore=Mar 4 00:00:00 2016 GMT
    notAfter=Mar 9 12:00:00 2017 GMT
    MD5 Fingerprint=C5:67:B6:98:8C:C2:F0:D0:EA:E9:66:D7:B2:34:C3:77
    SHA1 Fingerprint=96:18:71:C8:C4:26:6C:DE:89:97:63:5A:75:42:2F:0F:02:9C:18:30
    SHA256 Fingerprint=E6:20:18:E1:65:68:60:07:37:F0:13:1C:BD:41:F8:5F:DF:59:C1:A3:40:4D:A4:BE:97:5E:E5:76:5F:53:CB:2A
    SHA1 Fingerprint=96:18:71:C8:C4:26:6C:DE:89:97:63:5A:75:42:2F:0F:02:9C:18:30
    subject= /businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=4424721/street=Floor 13/street=155 Avenue of the Americas/postalCode=10013/C=US/ST=New York/L=New York/O=Pro Publica, Inc./CN=*.propub3r6espa33w.onion
    DNS:*.propub3r6espa33w.onion, DNS:propub3r6espa33w.onion, DNS:pubdrop4dw6rk3aq.onion, DNS:pubapp7v22ykdou3.onion, DNS:*.pubapp7v22ykdou3.onion, DNS:ppasset42kropoy6.onion, DNS:*.ppasset42kropoy6.onion, DNS:propublica.org, DNS:www.propublica.org, DNS:projects.propublica.org, DNS:securedrop.propublica.org, DNS:static.propublica.org, DNS:mail.propublica.org, DNS:mail2.propublica.org, DNS:webmail.propublica.org, DNS:webmail2.propublica.org, DNS:autodiscover.propublica.org

    @@ -87,12 +77,14 @@ https://twitter.com/mtigas
    https://keybase.io/mtigas

    -----BEGIN PGP SIGNATURE-----
    Comment: This is a PGP signature. Read more about e-mail
    Comment: encryption & PGP signatures: https://mike.tig.as/pgp/

    iQEcBAEBCgAGBQJW2x8HAAoJEGQdTjqn+ftyvkMH/jQxQJtJS3WGk2PzCUZHxBEU
    VKHuFgxOTOfbjeU0aPFGWQp+irU5d9Zxdi+40WXKtLSFSPFCVvhaLGQauRA0F4pW
    +NQwLyy+Ldz+a09sv8Akgubj4ZxzgvUMc8Jhl+NnRX5LRCF+Tbfy/+2EuecjeHok
    zKT6RJjfJI6dZwECo8Jw38o3AHiHavvmxx5CbhoOGBUPZWhF5e0fF3BQYsuCcqkZ
    xzinrkehXJHbzA+PkJ3XgJJ+svGWxFQZNHrOuHtpP3jkd3CVLOCLaM3Zj5qEdLqc
    fiaMJTXNui8tSAUFRe5QjRNzRRixpFawWpOKldBQyRd2A6UoWYnZ25tAat3BmwA=
    =eiAH
    iQEcBAEBCgAGBQJW2yAZAAoJEGQdTjqn+ftyspcIAKy0cDGiJ3O0rhdw0IE+WgR3
    Lo+jZMQf1BZY34JE5r2tMMvOsYOsq2eKyumze5mRHbxBU+n0O9tT6+hQ5cIJ5hUN
    2fhqsxlZMRpa7MZZJMJK8d4HfmY2XeyPawgsTmKkWA8rrLQ8GeWafB8Y/FbrBen6
    QxPMBi5L8f9XMy8UD67RTqlfx+v54QlEMnPKEP87Qww7lrdb1b4hnc5yS1W6yPX5
    OsnHdOD7I1SSdGRBdp20NYPdmkd3/AoXUUDo422IqC4Eep845zBPDbYxMUgWB8kX
    bSrpKcVIZCeUQ69tQd61RkSya7xlv8j7uyRPtYSvd+cZ3aK00rcFFROffucZ5Pk=
    =ZBI0
    -----END PGP SIGNATURE-----
    12 changes: 4 additions & 8 deletions z-certs.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -24,10 +24,9 @@ for SITE in ${SITES}; do
    echo -n | openssl s_client -connect ${SITE}:443 -servername ${SITE} -CAfile /tmp/ca-bundle.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/${SITE}.pem
    echo "CN or SAN: ${SITE}" >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/${SITE}.pem -dates >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/${SITE}.pem -fingerprint -md5 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/${SITE}.pem -fingerprint -sha1 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/${SITE}.pem -fingerprint -sha256 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/${SITE}.pem -fingerprint -subject >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/${SITE}.pem -fingerprint -subject | grep "subject" >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/${SITE}.pem -fingerprint -text | grep "DNS" | sed -e 's/^[ \t]*//' >> /tmp/certs.txt
    echo "" >> /tmp/certs.txt
    done
    @@ -36,30 +35,27 @@ done
    echo -n | openssl s_client -connect securedrop.propublica.org:443 -servername "www.propub3r6espa33w.onion" -CAfile /tmp/ca-bundle.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/propub3r6espa33w.onion.pem
    echo "CN or SAN: *.propub3r6espa33w.onion" >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/propub3r6espa33w.onion.pem -dates >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/propub3r6espa33w.onion.pem -fingerprint -md5 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/propub3r6espa33w.onion.pem -fingerprint -sha1 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/propub3r6espa33w.onion.pem -fingerprint -sha256 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/propub3r6espa33w.onion.pem -fingerprint -subject >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/propub3r6espa33w.onion.pem -fingerprint -subject | grep "subject" >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/propub3r6espa33w.onion.pem -fingerprint -text | grep "DNS" | sed -e 's/^[ \t]*//' >> /tmp/certs.txt
    echo "" >> /tmp/certs.txt

    echo -n | openssl s_client -connect securedrop.propublica.org:443 -servername "pubapp7v22ykdou3.onion" -CAfile /tmp/ca-bundle.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/pubapp7v22ykdou3.onion.pem
    echo "CN or SAN: pubapp7v22ykdou3.onion" >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/pubapp7v22ykdou3.onion.pem -dates >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/pubapp7v22ykdou3.onion.pem -fingerprint -md5 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/pubapp7v22ykdou3.onion.pem -fingerprint -sha1 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/pubapp7v22ykdou3.onion.pem -fingerprint -sha256 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/pubapp7v22ykdou3.onion.pem -fingerprint -subject >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/pubapp7v22ykdou3.onion.pem -fingerprint -subject | grep "subject" >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/pubapp7v22ykdou3.onion.pem -fingerprint -text | grep "DNS" | sed -e 's/^[ \t]*//' >> /tmp/certs.txt
    echo "" >> /tmp/certs.txt

    echo -n | openssl s_client -connect securedrop.propublica.org:443 -servername "ppasset42kropoy6.onion" -CAfile /tmp/ca-bundle.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/ppasset42kropoy6.onion.pem
    echo "CN or SAN: ppasset42kropoy6.onion" >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/ppasset42kropoy6.onion.pem -dates >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/ppasset42kropoy6.onion.pem -fingerprint -md5 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/ppasset42kropoy6.onion.pem -fingerprint -sha1 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/ppasset42kropoy6.onion.pem -fingerprint -sha256 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/ppasset42kropoy6.onion.pem -fingerprint -subject >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/ppasset42kropoy6.onion.pem -fingerprint -subject | grep "subject" >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/ppasset42kropoy6.onion.pem -fingerprint -text | grep "DNS" | sed -e 's/^[ \t]*//' >> /tmp/certs.txt
    echo "" >> /tmp/certs.txt

  2. mtigas revised this gist Mar 5, 2016. 2 changed files with 104 additions and 54 deletions.
    85 changes: 60 additions & 25 deletions 1-tls
    View file
    Original file line number Diff line number Diff line change
    @@ -2,32 +2,67 @@
    Hash: SHA512

    The following are the SSL certificate fingerprints for the
    following propublica.org servers as of 2016-01-11.
    following propublica.org servers as of 2016-03-05.

    Note that projects.propublica.org is now being served via Fastly and uses a
    shared certificate. That domain should be listed as a Subject Alternative Name
    for the certificate served by f.ssl.fastly.net.
    CN or SAN: www.propublica.org
    Note: this domain is now served via the Fastly CDN, relying on shared SSL
    certificates. The www.propublica.org domain should be listed as a Subject
    Alternative Name on the certificate served by the CDN endpoint.

    Common Name: www.propublica.org
    notBefore=Jan 11 10:29:33 2016 GMT
    notAfter=Sep 28 12:34:01 2016 GMT
    MD5 Fingerprint=4B:2A:D2:F4:80:E9:6D:FC:34:30:7E:5E:81:6F:49:C4
    SHA1 Fingerprint=B9:4D:97:E5:2B:9A:C6:BB:3D:CB:C7:F9:56:0F:0C:4B:35:95:5A:D8
    SHA256 Fingerprint=24:2B:90:7C:96:1F:EB:DA:6F:58:03:78:FC:67:15:86:A8:C1:E0:2F:DB:7B:CF:F0:17:42:7B:99:EA:2B:97:2E
    CN or SAN: projects.propublica.org
    Note: this domain is now served via the Fastly CDN, relying on shared SSL
    certificates. The projects.propublica.org domain should be listed as a Subject
    Alternative Name on the certificate served by the CDN endpoint.

    Common Name: static.propublica.org
    CN or SAN: static.propublica.org
    notBefore=Jul 6 00:00:00 2015 GMT
    notAfter=Jul 5 23:59:59 2018 GMT
    MD5 Fingerprint=4D:62:83:50:09:9F:88:BF:79:C9:DA:6A:49:14:A7:7F
    SHA1 Fingerprint=30:27:56:F8:3A:A0:41:A0:4D:FE:7B:5F:9F:66:2A:83:3C:A8:40:7E
    SHA256 Fingerprint=28:18:04:0E:B0:1A:03:F8:AC:FC:A6:DA:89:37:3A:F5:C0:9A:1A:A7:16:0C:0F:33:15:2C:82:C7:F5:EB:6E:27
    SHA1 Fingerprint=30:27:56:F8:3A:A0:41:A0:4D:FE:7B:5F:9F:66:2A:83:3C:A8:40:7E
    subject= /OU=Domain Control Validated/OU=PositiveSSL/CN=static.propublica.org
    DNS:static.propublica.org, DNS:www.static.propublica.org

    CN or SAN: securedrop.propublica.org
    notBefore=Mar 4 00:00:00 2016 GMT
    notAfter=Mar 9 12:00:00 2017 GMT
    MD5 Fingerprint=C5:67:B6:98:8C:C2:F0:D0:EA:E9:66:D7:B2:34:C3:77
    SHA1 Fingerprint=96:18:71:C8:C4:26:6C:DE:89:97:63:5A:75:42:2F:0F:02:9C:18:30
    SHA256 Fingerprint=E6:20:18:E1:65:68:60:07:37:F0:13:1C:BD:41:F8:5F:DF:59:C1:A3:40:4D:A4:BE:97:5E:E5:76:5F:53:CB:2A
    SHA1 Fingerprint=96:18:71:C8:C4:26:6C:DE:89:97:63:5A:75:42:2F:0F:02:9C:18:30
    subject= /businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=4424721/street=Floor 13/street=155 Avenue of the Americas/postalCode=10013/C=US/ST=New York/L=New York/O=Pro Publica, Inc./CN=*.propub3r6espa33w.onion
    DNS:*.propub3r6espa33w.onion, DNS:propub3r6espa33w.onion, DNS:pubdrop4dw6rk3aq.onion, DNS:pubapp7v22ykdou3.onion, DNS:*.pubapp7v22ykdou3.onion, DNS:ppasset42kropoy6.onion, DNS:*.ppasset42kropoy6.onion, DNS:propublica.org, DNS:www.propublica.org, DNS:projects.propublica.org, DNS:securedrop.propublica.org, DNS:static.propublica.org, DNS:mail.propublica.org, DNS:mail2.propublica.org, DNS:webmail.propublica.org, DNS:webmail2.propublica.org, DNS:autodiscover.propublica.org

    CN or SAN: *.propub3r6espa33w.onion
    notBefore=Mar 4 00:00:00 2016 GMT
    notAfter=Mar 9 12:00:00 2017 GMT
    MD5 Fingerprint=C5:67:B6:98:8C:C2:F0:D0:EA:E9:66:D7:B2:34:C3:77
    SHA1 Fingerprint=96:18:71:C8:C4:26:6C:DE:89:97:63:5A:75:42:2F:0F:02:9C:18:30
    SHA256 Fingerprint=E6:20:18:E1:65:68:60:07:37:F0:13:1C:BD:41:F8:5F:DF:59:C1:A3:40:4D:A4:BE:97:5E:E5:76:5F:53:CB:2A
    SHA1 Fingerprint=96:18:71:C8:C4:26:6C:DE:89:97:63:5A:75:42:2F:0F:02:9C:18:30
    subject= /businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=4424721/street=Floor 13/street=155 Avenue of the Americas/postalCode=10013/C=US/ST=New York/L=New York/O=Pro Publica, Inc./CN=*.propub3r6espa33w.onion
    DNS:*.propub3r6espa33w.onion, DNS:propub3r6espa33w.onion, DNS:pubdrop4dw6rk3aq.onion, DNS:pubapp7v22ykdou3.onion, DNS:*.pubapp7v22ykdou3.onion, DNS:ppasset42kropoy6.onion, DNS:*.ppasset42kropoy6.onion, DNS:propublica.org, DNS:www.propublica.org, DNS:projects.propublica.org, DNS:securedrop.propublica.org, DNS:static.propublica.org, DNS:mail.propublica.org, DNS:mail2.propublica.org, DNS:webmail.propublica.org, DNS:webmail2.propublica.org, DNS:autodiscover.propublica.org

    CN or SAN: pubapp7v22ykdou3.onion
    notBefore=Mar 4 00:00:00 2016 GMT
    notAfter=Mar 9 12:00:00 2017 GMT
    MD5 Fingerprint=C5:67:B6:98:8C:C2:F0:D0:EA:E9:66:D7:B2:34:C3:77
    SHA1 Fingerprint=96:18:71:C8:C4:26:6C:DE:89:97:63:5A:75:42:2F:0F:02:9C:18:30
    SHA256 Fingerprint=E6:20:18:E1:65:68:60:07:37:F0:13:1C:BD:41:F8:5F:DF:59:C1:A3:40:4D:A4:BE:97:5E:E5:76:5F:53:CB:2A
    SHA1 Fingerprint=96:18:71:C8:C4:26:6C:DE:89:97:63:5A:75:42:2F:0F:02:9C:18:30
    subject= /businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=4424721/street=Floor 13/street=155 Avenue of the Americas/postalCode=10013/C=US/ST=New York/L=New York/O=Pro Publica, Inc./CN=*.propub3r6espa33w.onion
    DNS:*.propub3r6espa33w.onion, DNS:propub3r6espa33w.onion, DNS:pubdrop4dw6rk3aq.onion, DNS:pubapp7v22ykdou3.onion, DNS:*.pubapp7v22ykdou3.onion, DNS:ppasset42kropoy6.onion, DNS:*.ppasset42kropoy6.onion, DNS:propublica.org, DNS:www.propublica.org, DNS:projects.propublica.org, DNS:securedrop.propublica.org, DNS:static.propublica.org, DNS:mail.propublica.org, DNS:mail2.propublica.org, DNS:webmail.propublica.org, DNS:webmail2.propublica.org, DNS:autodiscover.propublica.org

    Common Name: securedrop.propublica.org
    notBefore=Mar 11 04:45:14 2015 GMT
    notAfter=Jan 23 20:28:46 2017 GMT
    MD5 Fingerprint=51:7D:93:5D:94:FD:B4:F8:88:59:E8:80:68:9C:3C:14
    SHA1 Fingerprint=11:51:C8:EF:20:EF:B6:B7:48:5C:C2:60:0A:E8:F0:94:29:48:37:27
    SHA256 Fingerprint=4E:2A:EB:C7:DB:C7:81:7D:1E:60:A7:3B:F6:F6:0C:6F:EF:D5:CF:E4:A1:4D:69:C3:F6:4B:10:BF:84:B6:90:DC
    CN or SAN: ppasset42kropoy6.onion
    notBefore=Mar 4 00:00:00 2016 GMT
    notAfter=Mar 9 12:00:00 2017 GMT
    MD5 Fingerprint=C5:67:B6:98:8C:C2:F0:D0:EA:E9:66:D7:B2:34:C3:77
    SHA1 Fingerprint=96:18:71:C8:C4:26:6C:DE:89:97:63:5A:75:42:2F:0F:02:9C:18:30
    SHA256 Fingerprint=E6:20:18:E1:65:68:60:07:37:F0:13:1C:BD:41:F8:5F:DF:59:C1:A3:40:4D:A4:BE:97:5E:E5:76:5F:53:CB:2A
    SHA1 Fingerprint=96:18:71:C8:C4:26:6C:DE:89:97:63:5A:75:42:2F:0F:02:9C:18:30
    subject= /businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=4424721/street=Floor 13/street=155 Avenue of the Americas/postalCode=10013/C=US/ST=New York/L=New York/O=Pro Publica, Inc./CN=*.propub3r6espa33w.onion
    DNS:*.propub3r6espa33w.onion, DNS:propub3r6espa33w.onion, DNS:pubdrop4dw6rk3aq.onion, DNS:pubapp7v22ykdou3.onion, DNS:*.pubapp7v22ykdou3.onion, DNS:ppasset42kropoy6.onion, DNS:*.ppasset42kropoy6.onion, DNS:propublica.org, DNS:www.propublica.org, DNS:projects.propublica.org, DNS:securedrop.propublica.org, DNS:static.propublica.org, DNS:mail.propublica.org, DNS:mail2.propublica.org, DNS:webmail.propublica.org, DNS:webmail2.propublica.org, DNS:autodiscover.propublica.org

    ==============================

    @@ -53,11 +88,11 @@ https://keybase.io/mtigas

    -----BEGIN PGP SIGNATURE-----

    iQEcBAEBCgAGBQJWlENYAAoJEGQdTjqn+ftyT00H/idFAMCJp4Sx+Plni5DBZ2Fl
    9Mr4fD/fDQLSY5gHt0pzTJYia+EMyznnlDsHWD7U8ENI2uf+sJgOm1NzvQxOoALN
    bC4s1UBH/+LcB/AisUCJF/1yXzDsY7krSHmR9sv9FGwg9wq1v/gO3jzTcVVhNygb
    RjunfxpFXhg8Z1lNb5DF4X+yWbDxsAh/MR0Oxl4yFUh0Kys0+1PoJhdK6fUAhuQs
    3rxG0hIn/PDaq7zihwJ4BbYnLMgyWDWGBJXRL5KqN9y+OPTyV2un9GjUiGEUr4T2
    dtESMY9VBhyojOAZ6eYLuYk1juBIl5gGU0be6gmTEPRl/L7vDJI+FNaGMp1x3uA=
    =5S0x
    -----END PGP SIGNATURE-----
    iQEcBAEBCgAGBQJW2x8HAAoJEGQdTjqn+ftyvkMH/jQxQJtJS3WGk2PzCUZHxBEU
    VKHuFgxOTOfbjeU0aPFGWQp+irU5d9Zxdi+40WXKtLSFSPFCVvhaLGQauRA0F4pW
    +NQwLyy+Ldz+a09sv8Akgubj4ZxzgvUMc8Jhl+NnRX5LRCF+Tbfy/+2EuecjeHok
    zKT6RJjfJI6dZwECo8Jw38o3AHiHavvmxx5CbhoOGBUPZWhF5e0fF3BQYsuCcqkZ
    xzinrkehXJHbzA+PkJ3XgJJ+svGWxFQZNHrOuHtpP3jkd3CVLOCLaM3Zj5qEdLqc
    fiaMJTXNui8tSAUFRe5QjRNzRRixpFawWpOKldBQyRd2A6UoWYnZ25tAat3BmwA=
    =eiAH
    -----END PGP SIGNATURE-----
    73 changes: 44 additions & 29 deletions z-certs.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -7,47 +7,61 @@ tee /tmp/certs.txt << EOF1
    The following are the SSL certificate fingerprints for the
    following propublica.org servers as of `date +"%Y-%m-%d"`.
    Note that projects.propublica.org is now being served via Fastly and uses a
    shared certificate. That domain should be listed as a Subject Alternative Name
    for the certificate served by f.ssl.fastly.net.
    CN or SAN: www.propublica.org
    Note: this domain is now served via the Fastly CDN, relying on shared SSL
    certificates. The www.propublica.org domain should be listed as a Subject
    Alternative Name on the certificate served by the CDN endpoint.
    EOF1
    CN or SAN: projects.propublica.org
    Note: this domain is now served via the Fastly CDN, relying on shared SSL
    certificates. The projects.propublica.org domain should be listed as a Subject
    Alternative Name on the certificate served by the CDN endpoint.
    SITES="www.propublica.org static.propublica.org securedrop.propublica.org"
    EOF1

    SITES="static.propublica.org securedrop.propublica.org"
    for SITE in ${SITES}; do
    echo -n | openssl s_client -connect ${SITE}:443 -servername ${SITE} -CAfile /tmp/ca-bundle.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/${SITE}.pem
    echo "Common Name: ${SITE}" >> /tmp/certs.txt
    echo "CN or SAN: ${SITE}" >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/${SITE}.pem -dates >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/${SITE}.pem -fingerprint -md5 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/${SITE}.pem -fingerprint -sha1 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/${SITE}.pem -fingerprint -sha256 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/${SITE}.pem -fingerprint -subject >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/${SITE}.pem -fingerprint -text | grep "DNS" | sed -e 's/^[ \t]*//' >> /tmp/certs.txt
    echo "" >> /tmp/certs.txt
    done

    #SITE="propub3r6espa33w.onion"
    #echo "Common Name: ${SITE} (www.propublica.org hidden service mirror - self-signed SSL)" >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -dates >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -md5 >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha1 >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha256 >> /tmp/certs.txt
    #echo "" >> /tmp/certs.txt
    #
    #SITE="pubapp7v22ykdou3.onion"
    #echo "Common Name: ${SITE} (projects.propublica.org hidden service mirror - self-signed SSL)" >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -dates >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -md5 >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha1 >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha256 >> /tmp/certs.txt
    #echo "" >> /tmp/certs.txt
    #
    #SITE="ppasset42kropoy6.onion"
    #echo "Common Name: ${SITE} (static.propublica.org hidden service mirror - self-signed SSL)" >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -dates >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -md5 >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha1 >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha256 >> /tmp/certs.txt
    #echo "" >> /tmp/certs.txt

    echo -n | openssl s_client -connect securedrop.propublica.org:443 -servername "www.propub3r6espa33w.onion" -CAfile /tmp/ca-bundle.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/propub3r6espa33w.onion.pem
    echo "CN or SAN: *.propub3r6espa33w.onion" >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/propub3r6espa33w.onion.pem -dates >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/propub3r6espa33w.onion.pem -fingerprint -md5 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/propub3r6espa33w.onion.pem -fingerprint -sha1 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/propub3r6espa33w.onion.pem -fingerprint -sha256 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/propub3r6espa33w.onion.pem -fingerprint -subject >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/propub3r6espa33w.onion.pem -fingerprint -text | grep "DNS" | sed -e 's/^[ \t]*//' >> /tmp/certs.txt
    echo "" >> /tmp/certs.txt

    echo -n | openssl s_client -connect securedrop.propublica.org:443 -servername "pubapp7v22ykdou3.onion" -CAfile /tmp/ca-bundle.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/pubapp7v22ykdou3.onion.pem
    echo "CN or SAN: pubapp7v22ykdou3.onion" >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/pubapp7v22ykdou3.onion.pem -dates >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/pubapp7v22ykdou3.onion.pem -fingerprint -md5 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/pubapp7v22ykdou3.onion.pem -fingerprint -sha1 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/pubapp7v22ykdou3.onion.pem -fingerprint -sha256 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/pubapp7v22ykdou3.onion.pem -fingerprint -subject >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/pubapp7v22ykdou3.onion.pem -fingerprint -text | grep "DNS" | sed -e 's/^[ \t]*//' >> /tmp/certs.txt
    echo "" >> /tmp/certs.txt

    echo -n | openssl s_client -connect securedrop.propublica.org:443 -servername "ppasset42kropoy6.onion" -CAfile /tmp/ca-bundle.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/ppasset42kropoy6.onion.pem
    echo "CN or SAN: ppasset42kropoy6.onion" >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/ppasset42kropoy6.onion.pem -dates >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/ppasset42kropoy6.onion.pem -fingerprint -md5 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/ppasset42kropoy6.onion.pem -fingerprint -sha1 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/ppasset42kropoy6.onion.pem -fingerprint -sha256 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/ppasset42kropoy6.onion.pem -fingerprint -subject >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/ppasset42kropoy6.onion.pem -fingerprint -text | grep "DNS" | sed -e 's/^[ \t]*//' >> /tmp/certs.txt
    echo "" >> /tmp/certs.txt


    tee -a /tmp/certs.txt << EOF1
    @@ -75,6 +89,7 @@ https://keybase.io/mtigas
    EOF1

    rm /tmp/certs.txt.asc
    gpg --clearsign -u 0x4034E60AA7827C5DF21A89AAA993E7156E0E9923 /tmp/certs.txt

    cat /tmp/certs.txt.asc
  3. mtigas revised this gist Jan 12, 2016. 1 changed file with 0 additions and 2 deletions.
    2 changes: 0 additions & 2 deletions 2-tor
    View file
    Original file line number Diff line number Diff line change
    @@ -38,8 +38,6 @@ https://mike.tig.as/
    https://twitter.com/mtigas
    https://keybase.io/mtigas
    -----BEGIN PGP SIGNATURE-----
    Comment: This is a PGP signature. Read more about e-mail
    Comment: encryption & PGP signatures: https://mike.tig.as/pgp/

    iQEcBAEBCgAGBQJWlEJWAAoJEGQdTjqn+ftyvDQH/jq/Y6OtncP5u5jt7dK1OIvt
    X81YhrUcQOFroVD5xtNwB/a6qCTC6JmK95riqcuel56y2DJbX3C1qB1YAOzpiw2g
  4. mtigas revised this gist Jan 12, 2016. 3 changed files with 104 additions and 143 deletions.
    110 changes: 36 additions & 74 deletions 1-tls
    View file
    Original file line number Diff line number Diff line change
    @@ -2,70 +2,48 @@
    Hash: SHA512

    The following are the SSL certificate fingerprints for the
    propublica.org servers as of 2015-03-10.
    following propublica.org servers as of 2016-01-11.

    Common Name: www.propublica.org
    notBefore=Jul 7 00:00:00 2014 GMT
    notAfter=Jul 7 23:59:59 2015 GMT
    MD5 Fingerprint=83:E3:9D:2C:28:34:8D:9E:65:79:90:22:E8:71:3C:6F
    SHA1 Fingerprint=90:82:5A:80:DE:4C:64:67:DA:F5:11:73:39:AF:79:CE:0E:E8:E5:59
    SHA256 Fingerprint=B2:4B:1E:C2:59:E8:DF:72:62:A0:74:D0:26:02:29:43:4C:14:46:1A:78:02:6D:A3:AE:34:B3:FF:54:F1:7F:A0
    Note that projects.propublica.org is now being served via Fastly and uses a
    shared certificate. That domain should be listed as a Subject Alternative Name
    for the certificate served by f.ssl.fastly.net.

    Common Name: projects.propublica.org
    notBefore=Nov 18 00:00:00 2014 GMT
    notAfter=Nov 23 12:00:00 2015 GMT
    MD5 Fingerprint=BD:39:56:49:09:E7:A0:E1:15:90:79:56:37:6C:6E:A8
    SHA1 Fingerprint=3C:2A:32:B2:BA:2C:88:FC:84:32:A1:25:98:6A:DB:C4:8C:43:81:FC
    SHA256 Fingerprint=83:10:33:D5:CE:12:38:7B:1C:32:D2:C9:B2:A3:5D:BE:2C:06:EA:82:87:1E:CD:AA:E3:1D:09:32:AB:13:26:CC
    Common Name: www.propublica.org
    notBefore=Jan 11 10:29:33 2016 GMT
    notAfter=Sep 28 12:34:01 2016 GMT
    MD5 Fingerprint=4B:2A:D2:F4:80:E9:6D:FC:34:30:7E:5E:81:6F:49:C4
    SHA1 Fingerprint=B9:4D:97:E5:2B:9A:C6:BB:3D:CB:C7:F9:56:0F:0C:4B:35:95:5A:D8
    SHA256 Fingerprint=24:2B:90:7C:96:1F:EB:DA:6F:58:03:78:FC:67:15:86:A8:C1:E0:2F:DB:7B:CF:F0:17:42:7B:99:EA:2B:97:2E

    Common Name: static.propublica.org
    notBefore=Oct 31 00:00:00 2014 GMT
    notAfter=Oct 31 23:59:59 2015 GMT
    MD5 Fingerprint=46:B8:1B:6C:3A:D6:CD:73:29:4E:8B:47:29:97:39:E9
    SHA1 Fingerprint=24:89:7B:4D:57:5A:04:09:E7:9D:05:48:74:4A:39:ED:4C:5E:27:82
    SHA256 Fingerprint=7E:CB:B6:53:C8:2E:95:40:DC:4B:6E:6B:AC:CD:21:10:AE:8F:0C:0D:BF:8B:18:AD:60:0F:D6:0F:4C:9B:5E:9D
    notBefore=Jul 6 00:00:00 2015 GMT
    notAfter=Jul 5 23:59:59 2018 GMT
    MD5 Fingerprint=4D:62:83:50:09:9F:88:BF:79:C9:DA:6A:49:14:A7:7F
    SHA1 Fingerprint=30:27:56:F8:3A:A0:41:A0:4D:FE:7B:5F:9F:66:2A:83:3C:A8:40:7E
    SHA256 Fingerprint=28:18:04:0E:B0:1A:03:F8:AC:FC:A6:DA:89:37:3A:F5:C0:9A:1A:A7:16:0C:0F:33:15:2C:82:C7:F5:EB:6E:27

    Common Name: securedrop.propublica.org
    notBefore=Jan 19 22:35:09 2014 GMT
    notAfter=Jan 22 11:56:54 2017 GMT
    MD5 Fingerprint=E5:3D:80:2D:A0:70:68:36:B9:C6:03:EB:DA:A4:C6:CC
    SHA1 Fingerprint=33:03:99:09:7E:D3:83:E4:AC:48:54:E4:89:19:2D:47:68:61:7A:B5
    SHA256 Fingerprint=47:F2:2F:33:83:62:FE:02:10:61:69:73:3D:78:77:AB:35:1B:F5:96:2C:08:A4:EF:C2:5F:5A:26:1F:F5:19:95

    Common Name: propub3r6espa33w.onion (www.propublica.org hidden service mirror - self-signed SSL)
    notBefore=Dec 3 20:33:38 2014 GMT
    notAfter=Dec 3 20:33:38 2015 GMT
    MD5 Fingerprint=43:03:6C:B4:63:83:27:7A:83:61:16:46:08:71:E9:09
    SHA1 Fingerprint=BE:7F:C0:DE:73:64:23:E0:7B:D5:04:47:59:B3:7E:27:F0:52:E0:5B
    SHA256 Fingerprint=CD:74:43:31:C5:5A:0F:33:A7:F7:E0:1F:54:60:9A:AB:07:2F:95:8D:6A:9A:F8:07:93:6F:4D:23:52:B1:F3:0F

    Common Name: pubapp7v22ykdou3.onion (projects.propublica.org hidden service mirror - self-signed SSL)
    notBefore=Dec 3 20:34:31 2014 GMT
    notAfter=Dec 3 20:34:31 2015 GMT
    MD5 Fingerprint=78:8B:F1:BB:4D:53:7B:35:5A:B5:DD:7F:62:29:3A:9D
    SHA1 Fingerprint=B9:FB:C6:42:58:0F:E6:D4:17:ED:C4:C6:8C:FC:A8:71:6A:68:35:92
    SHA256 Fingerprint=AD:90:21:82:D2:41:DB:56:EA:27:66:78:F8:9E:3C:05:49:65:06:17:C6:8F:5B:26:72:DA:5C:DB:A7:89:94:7D

    Common Name: ppasset42kropoy6.onion (static.propublica.org hidden service mirror - self-signed SSL)
    notBefore=Dec 3 20:21:40 2014 GMT
    notAfter=Dec 3 20:21:40 2015 GMT
    MD5 Fingerprint=A3:5B:22:74:72:A7:89:B0:E7:EC:92:DC:1F:0B:0D:E9
    SHA1 Fingerprint=E7:C9:AF:C7:79:3D:5F:A9:06:A5:95:20:E1:AE:87:B7:25:C4:AA:DE
    SHA256 Fingerprint=05:77:35:B1:ED:5C:15:5F:4D:EB:AF:E1:99:6A:E0:32:EE:D0:80:9F:32:8C:FC:AA:F4:9E:04:57:06:CA:DF:27
    notBefore=Mar 11 04:45:14 2015 GMT
    notAfter=Jan 23 20:28:46 2017 GMT
    MD5 Fingerprint=51:7D:93:5D:94:FD:B4:F8:88:59:E8:80:68:9C:3C:14
    SHA1 Fingerprint=11:51:C8:EF:20:EF:B6:B7:48:5C:C2:60:0A:E8:F0:94:29:48:37:27
    SHA256 Fingerprint=4E:2A:EB:C7:DB:C7:81:7D:1E:60:A7:3B:F6:F6:0C:6F:EF:D5:CF:E4:A1:4D:69:C3:F6:4B:10:BF:84:B6:90:DC

    ==============================

    This message can be verified via the following PGP key, which can be
    corroborated on my ProPublica staff profile and other following links:

    pub 8192R/0xA993E7156E0E9923 2013-07-19 [expires: 2016-01-02]
    pub 8192R/0xA993E7156E0E9923 2013-07-19 [expires: 2018-01-03]
    Key fingerprint = 4034 E60A A782 7C5D F21A 89AA A993 E715 6E0E 9923
    uid [ultimate] Mike Tigas <[email protected]>
    uid [ultimate] Mike Tigas <[email protected]>
    sub 8192R/0xECB867297E745064 2013-12-24 [expires: 2016-01-02]
    sub 8192R/0xB09CCE88E55F7656 2013-07-19 [expires: 2016-01-02]

    https://s3.amazonaws.com/propublica/assets/pgp/mike_tigas-4034E60AA7827C5DF21A89AAA993E7156E0E9923.txt
    uid Mike Tigas <[email protected]>
    uid Mike Tigas <[email protected]>
    sub 2048R/0x641D4E3AA7F9FB72 2015-03-12 [expires: 2018-01-03]
    Key fingerprint = DEEF 6A2C 795F 11D0 13E8 B17A 641D 4E3A A7F9 FB72
    sub 2048R/0x8DE8FCA65410F8C4 2015-03-12 [expires: 2018-01-03]
    Key fingerprint = A577 FE9F 0CCA 8AC7 2845 A101 8DE8 FCA6 5410 F8C4

    https://static.propublica.org/assets/pgp/mike_tigas-4034E60AA7827C5DF21A89AAA993E7156E0E9923.txt
    https://mike.tig.as/pubkey_6E0E9923.txt
    http://p80.pool.sks-keyservers.net/pks/lookup?op=get&search=0x4034E60AA7827C5DF21A89AAA993E7156E0E9923
    https://www.propublica.org/site/author/mike_tigas
    @@ -75,27 +53,11 @@ https://keybase.io/mtigas

    -----BEGIN PGP SIGNATURE-----

    iQQcBAEBCgAGBQJU/19xAAoJEOy4Zyl+dFBk9Jsf/ii9bj/2vFlLGbdktUj7ckZJ
    6ypVyA1e3rrIAGxxWOgiTmAO0GNvh1a1JkoCBg20kLVk/FlV73GAGcSgw3g1gL8K
    iRZiIdw0/+//00L7gN+KAYlDLzjuQHPiHgbF3yIBKZUlqzgHDfE7Ul3G8al31I+v
    Lg2KbJgoY1xnvFFVUSiAMF+ToIhC0Np86+uR/g6nU76FNv2RX7YmHkN6KhUxmJAE
    dV2d8BGcrs6hvkVq23JlR+pSDdobqdSoZ3hjxLRNzbaWd74YQwAj4LNYYXJfJ4X5
    XuVE0hdPOv5W/Bil9xu2h1g9vN4VccOoRrhsyEvVdDgaEfj8MsgHXKEEwyiLWOp7
    r6xRWEQXt2IJHgSwxVfpOHGPE5IFgXWK3GwcJzKWBIRgFkmhWH8UE5XsNxwFUG17
    KUER5GOQxe5vjMKe1hkjaHWulU97NlyRPaYuVJ3L0D5R7X+jgT/H6ytEHxkUAgc4
    qkjpQZjfleH1NSOoLQCTJrg0H1s8y7EXc/5duo9dNH/WPTeiYmo+qlZ2iSKRByF4
    +eCSMCEsQ3Dc4ZIg6E3VmzH0AKdKvn2U7iJvxsz3fxKhOcaQ8oc+yPdB6X3IOH6K
    thR4SHiKiFRH2fwLGX6KYuPqFFskCNDi296cbQbvk28jUtz21kCdL0r73uFMHrdb
    Fy5EVvctrqGtZmFcPm0NlS1vPofOynddcEaT57HPhWOVpFPgZlJ6Bx+2APEOuc7o
    EEOHsz+nNWpxtGHN6/K1Ulpx1W4PCP/FPH8/fGoOVgFP1+Pb5qEw9X1ApK0U9+zj
    sPZJNE6TCJTg5A4MZb8LT6BwU8zmJcISr8PUZhAHRrM8doxxIAEUoXt/vDBb6Ord
    BspV7MpBo9DYAYglPuz+ilyyl+oC29lyCr5UzeAm+74nAdddqyqd13m4Ge52WwDr
    pRKF+MXxBR+GnME1U/f5hyv+8OJB7GIQJUR6UOTJXe3XKaCAyaXDpTfJBEYVxG89
    wJP8Fbk68UYKNIoWxlTetVtFdbEhGONRGBwP5sMGwtTRJepQG4wEoBr2Y6Zf/5ut
    dDaAR2yml2a3aJTKjRQTTL+S8e5oSCaEGh0i5SW8vfn4GsEog42tw3iQIkQdD579
    sZLAEtkwk6RFVxe2w8AF9769WUBcsAY82wO3+SYiJBEhacTF/gjylBsUe3ErPulu
    irqhGTpBtAm/eCz8u7DOJslbLDh7dy3MthhLKXEyRczDUKbN/BfDCBdKxdqKPRzl
    qwdUNvO0IWj5WYdtE05wClsCIEqxTjJGsDUJRXRv1hYAqREu7PBRS6KHMutb3LlU
    jLKKtOWqhEFeQTvcLOn+Cy7B5p85U9ZWvZuzeVc0qh5BBYcLq+E4NccCxLyvkl8=
    =boXg
    iQEcBAEBCgAGBQJWlENYAAoJEGQdTjqn+ftyT00H/idFAMCJp4Sx+Plni5DBZ2Fl
    9Mr4fD/fDQLSY5gHt0pzTJYia+EMyznnlDsHWD7U8ENI2uf+sJgOm1NzvQxOoALN
    bC4s1UBH/+LcB/AisUCJF/1yXzDsY7krSHmR9sv9FGwg9wq1v/gO3jzTcVVhNygb
    RjunfxpFXhg8Z1lNb5DF4X+yWbDxsAh/MR0Oxl4yFUh0Kys0+1PoJhdK6fUAhuQs
    3rxG0hIn/PDaq7zihwJ4BbYnLMgyWDWGBJXRL5KqN9y+OPTyV2un9GjUiGEUr4T2
    dtESMY9VBhyojOAZ6eYLuYk1juBIl5gGU0be6gmTEPRl/L7vDJI+FNaGMp1x3uA=
    =5S0x
    -----END PGP SIGNATURE-----
    65 changes: 29 additions & 36 deletions 2-tor
    View file
    Original file line number Diff line number Diff line change
    @@ -1,12 +1,17 @@
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    As of December 3, 2014, these three `*.propublica.org` domains
    are mirrored by the following corresponding Tor hidden services:
    As of January 11, 2016, these four ProPublica domains
    are mirrored by "propub3r6espa33w.onion", under the following
    subdomains:

    www.propublica.org | propub3r6espa33w.onion
    projects.propublica.org | pubapp7v22ykdou3.onion
    static.propublica.org | ppasset42kropoy6.onion
    www.propublica.org | www.propub3r6espa33w.onion
    projects.propublica.org | projects.propub3r6espa33w.onion
    static.propublica.org | static.propub3r6espa33w.onion
    cdn.propublica.net | cdn.propub3r6espa33w.onion

    (The first three used to be at propub3r6espa33w.onion,
    pubapp7v22ykdou3.onion, and ppasset42kropoy6.onion, respectively.)

    And our SecureDrop instance (info: https://securedrop.propublica.org/
    and https://freedom.press/securedrop ) is located at:
    @@ -16,43 +21,31 @@ and https://freedom.press/securedrop ) is located at:
    This message can be verified via the following PGP key, which can be
    corroborated on my ProPublica staff profile and other following links:

    pub 8192R/0xA993E7156E0E9923 2013-07-19 [expires: 2016-01-02]
    pub 8192R/0xA993E7156E0E9923 2013-07-19 [expires: 2018-01-03]
    Key fingerprint = 4034 E60A A782 7C5D F21A 89AA A993 E715 6E0E 9923
    uid [ultimate] Mike Tigas <[email protected]>
    uid [ultimate] Mike Tigas <[email protected]>
    sub 8192R/0xECB867297E745064 2013-12-24 [expires: 2016-01-02]
    sub 8192R/0xB09CCE88E55F7656 2013-07-19 [expires: 2016-01-02]

    https://s3.amazonaws.com/propublica/assets/pgp/mike_tigas-4034E60AA7827C5DF21A89AAA993E7156E0E9923.txt
    uid Mike Tigas <[email protected]>
    uid Mike Tigas <[email protected]>
    sub 2048R/0x641D4E3AA7F9FB72 2015-03-12 [expires: 2018-01-03]
    Key fingerprint = DEEF 6A2C 795F 11D0 13E8 B17A 641D 4E3A A7F9 FB72
    sub 2048R/0x8DE8FCA65410F8C4 2015-03-12 [expires: 2018-01-03]
    Key fingerprint = A577 FE9F 0CCA 8AC7 2845 A101 8DE8 FCA6 5410 F8C4

    https://static.propublica.org/assets/pgp/mike_tigas-4034E60AA7827C5DF21A89AAA993E7156E0E9923.txt
    https://mike.tig.as/pubkey_6E0E9923.txt
    http://p80.pool.sks-keyservers.net/pks/lookup?op=get&search=0x4034E60AA7827C5DF21A89AAA993E7156E0E9923
    https://www.propublica.org/site/author/mike_tigas
    https://mike.tig.as/
    https://twitter.com/mtigas
    https://keybase.io/mtigas
    -----BEGIN PGP SIGNATURE-----

    iQQcBAEBCgAGBQJU/1+5AAoJEOy4Zyl+dFBkIf0f/1EPNdvomhG+HZ/PAkayNIWg
    vyYmGIrLNYohDaowkDE95sdG/9zlAfdq7R7BL1q998uhgkciEwpVbLUSII/is4n7
    Mfr1HQFfqxqfH/T+VJVVe99pUQfEKgc0XwWGUgNdlNjEwf2/CBQquYRS5eKF7qN6
    J0vb/qXzSbITDoBzgdM4SRGLHFe2Op5PM72AACRQLDVHnQEaSi1vxzPTZ9Quk7Iq
    2KBHL0DMQPrEj5EPLh69CJq5ApEqS7UqW8pPpLxvqFEBnurQeRBM17Zlas4evLLm
    +yDTAcxEYhrwAzzEoxLTEDJfyqjw/V6olh7+9KPLkho5TonopbKkfgivIoEwc7zo
    7nFwdlqumBXCNztUCx2iMGQG1k13lAOZoaet0nHV+NcEjpWYWoEh2KyewzLnh5jU
    /Qf0DrnfmycIqkTdcR4+Yims5s/FEo/tq7XebR9CGOFf5ycjCtEL3/NzfI5Jt8Wp
    5LDOlRzCT3auvsXTPTEKRbVunw2fJpIgmVXkN3/j++H8IxZMbmS6q/BZbuzeyX4I
    Ny1/fqsP1znJz8ERX40lrcbTjmte7TjnG8GNvDo5in8ssx6ljwNITwMmu9EUSw0I
    9jrAHgPNF223pfX9wQaXtcXLqM+mnG4ZwMVMJjnwDUOrlzAAmPprtcXNnvHgU0io
    Mbv3wRGFBwMAr9g/mtu4LC8G7LSYkM9MzIl6c0qgrdKeR/RcmhNJa4BqCDCXbUb0
    1RuvosNfkdQNxFR+w3jqrXEEhN1ekE3AlkzN5VsEPTuFUOLm+FDN1Ctake4vwgee
    J/xE3jIowaC9tN2IsDg8m7FF7alPqI3yccgbZjfH9J+Rwxn1brrwStN6NcRn/HXh
    Z+uokX8G+FrKHz3NOn+/RAIiQXSbP6rrXMYzF3cSA+/6xPWVrMumBQUgWaSRVWlO
    kjPy4AIXhCQbAQFSKRkDOFlgP+D7BwJfh+z1LbilFIvheYXNgDutHZBIjzpHe5dv
    pJUTWisQehwPImgxqb10bMFO41ID7a/tEFzxCux/+RIQatukVm5eoRdRnIPZHPk8
    WjEDCZVUNi5d7kTOJp5bWvFCK7ex1Z0o5sdMbpyBPu5PNeo8HTNVlX/Ba6lljouT
    Jb9szG2gqyn9NRtQcZWoYWnoPmzz7Cdl3lrVWShbKBHZVgO3y2TXrK7uzHhoeDtJ
    D+Pzjef/9jFu2n6nJv4yEugk7gjKImXoVPv0tA2NpFfum+u5XheD+gmi/uGm1eh3
    hEIAUEUVT+Fb7bPR7WOd78Cm7WKU/Y69I4VX3VCHeP/S8HJxpvJj3bJeTMxainxH
    yG7Qnej2SDbPHtBcioTwd7NNUVt/f7bZ3sSBloH7cSXlRBbS9SonrV8r19lFUJ8=
    =n2JK
    Comment: This is a PGP signature. Read more about e-mail
    Comment: encryption & PGP signatures: https://mike.tig.as/pgp/

    iQEcBAEBCgAGBQJWlEJWAAoJEGQdTjqn+ftyvDQH/jq/Y6OtncP5u5jt7dK1OIvt
    X81YhrUcQOFroVD5xtNwB/a6qCTC6JmK95riqcuel56y2DJbX3C1qB1YAOzpiw2g
    ghV3/HtiMIOYywXYhaZiWDgAWw95r/9IjJVIoL2DuN+QQT0yZgIyH2WKr/r3nocZ
    /HP7+EcFTRldhgW/sDmRN+PvmFGTr+5utJhmYD3E4Aj0b3ZlDqcOgDBtMoIAZ66X
    9QIzTbsGhR02Tiz7En2JWHWocEdyoO+2nh9Zcs3EydbwJmnOBaRx8ecIy8ehVe4K
    8cUMDcRTU0ptmMVxYBHxY6Uv6MMIwDsfuK3a45I8gBd7+ROOnN0eusSwY0U0Qdg=
    =uk13
    -----END PGP SIGNATURE-----
    72 changes: 39 additions & 33 deletions z-certs.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -5,11 +5,15 @@ export PATH=`brew --prefix curl`/bin:`brew --prefix openssl`/bin:`brew --prefix

    tee /tmp/certs.txt << EOF1
    The following are the SSL certificate fingerprints for the
    propublica.org servers as of `date +"%Y-%m-%d"`.
    following propublica.org servers as of `date +"%Y-%m-%d"`.
    Note that projects.propublica.org is now being served via Fastly and uses a
    shared certificate. That domain should be listed as a Subject Alternative Name
    for the certificate served by f.ssl.fastly.net.
    EOF1

    SITES="www.propublica.org projects.propublica.org static.propublica.org securedrop.propublica.org"
    SITES="www.propublica.org static.propublica.org securedrop.propublica.org"

    for SITE in ${SITES}; do
    echo -n | openssl s_client -connect ${SITE}:443 -servername ${SITE} -CAfile /tmp/ca-bundle.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/${SITE}.pem
    @@ -21,29 +25,29 @@ for SITE in ${SITES}; do
    echo "" >> /tmp/certs.txt
    done

    SITE="propub3r6espa33w.onion"
    echo "Common Name: ${SITE} (www.propublica.org hidden service mirror - self-signed SSL)" >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -dates >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -md5 >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha1 >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha256 >> /tmp/certs.txt
    echo "" >> /tmp/certs.txt

    SITE="pubapp7v22ykdou3.onion"
    echo "Common Name: ${SITE} (projects.propublica.org hidden service mirror - self-signed SSL)" >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -dates >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -md5 >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha1 >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha256 >> /tmp/certs.txt
    echo "" >> /tmp/certs.txt

    SITE="ppasset42kropoy6.onion"
    echo "Common Name: ${SITE} (static.propublica.org hidden service mirror - self-signed SSL)" >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -dates >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -md5 >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha1 >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha256 >> /tmp/certs.txt
    echo "" >> /tmp/certs.txt
    #SITE="propub3r6espa33w.onion"
    #echo "Common Name: ${SITE} (www.propublica.org hidden service mirror - self-signed SSL)" >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -dates >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -md5 >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha1 >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha256 >> /tmp/certs.txt
    #echo "" >> /tmp/certs.txt
    #
    #SITE="pubapp7v22ykdou3.onion"
    #echo "Common Name: ${SITE} (projects.propublica.org hidden service mirror - self-signed SSL)" >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -dates >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -md5 >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha1 >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha256 >> /tmp/certs.txt
    #echo "" >> /tmp/certs.txt
    #
    #SITE="ppasset42kropoy6.onion"
    #echo "Common Name: ${SITE} (static.propublica.org hidden service mirror - self-signed SSL)" >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -dates >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -md5 >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha1 >> /tmp/certs.txt
    #openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha256 >> /tmp/certs.txt
    #echo "" >> /tmp/certs.txt


    tee -a /tmp/certs.txt << EOF1
    @@ -52,14 +56,16 @@ tee -a /tmp/certs.txt << EOF1
    This message can be verified via the following PGP key, which can be
    corroborated on my ProPublica staff profile and other following links:
    pub 8192R/0xA993E7156E0E9923 2013-07-19 [expires: 2016-01-02]
    pub 8192R/0xA993E7156E0E9923 2013-07-19 [expires: 2018-01-03]
    Key fingerprint = 4034 E60A A782 7C5D F21A 89AA A993 E715 6E0E 9923
    uid [ultimate] Mike Tigas <[email protected]>
    uid [ultimate] Mike Tigas <[email protected]>
    sub 8192R/0xECB867297E745064 2013-12-24 [expires: 2016-01-02]
    sub 8192R/0xB09CCE88E55F7656 2013-07-19 [expires: 2016-01-02]
    https://s3.amazonaws.com/propublica/assets/pgp/mike_tigas-4034E60AA7827C5DF21A89AAA993E7156E0E9923.txt
    uid Mike Tigas <[email protected]>
    uid Mike Tigas <[email protected]>
    sub 2048R/0x641D4E3AA7F9FB72 2015-03-12 [expires: 2018-01-03]
    Key fingerprint = DEEF 6A2C 795F 11D0 13E8 B17A 641D 4E3A A7F9 FB72
    sub 2048R/0x8DE8FCA65410F8C4 2015-03-12 [expires: 2018-01-03]
    Key fingerprint = A577 FE9F 0CCA 8AC7 2845 A101 8DE8 FCA6 5410 F8C4
    https://static.propublica.org/assets/pgp/mike_tigas-4034E60AA7827C5DF21A89AAA993E7156E0E9923.txt
    https://mike.tig.as/pubkey_6E0E9923.txt
    http://p80.pool.sks-keyservers.net/pks/lookup?op=get&search=0x4034E60AA7827C5DF21A89AAA993E7156E0E9923
    https://www.propublica.org/site/author/mike_tigas
    @@ -71,4 +77,4 @@ EOF1

    gpg --clearsign -u 0x4034E60AA7827C5DF21A89AAA993E7156E0E9923 /tmp/certs.txt

    cat /tmp/certs.txt.asc
    cat /tmp/certs.txt.asc
  5. mtigas revised this gist Mar 10, 2015. 1 changed file with 36 additions and 32 deletions.
    68 changes: 36 additions & 32 deletions 2-tor
    View file
    Original file line number Diff line number Diff line change
    @@ -13,42 +13,46 @@ and https://freedom.press/securedrop ) is located at:

    pubdrop4dw6rk3aq.onion

    This message can be verified via the following PGP key, which is
    also available on my ProPublica staff profile and the other following
    links:

    PGP public key: https://mike.tig.as/pubkey_6E0E9923.txt
    4034 E60A A782 7C5D F21A 89AA A993 E715 6E0E 9923
    uid Mike Tigas <[email protected]>
    uid Mike Tigas <[email protected]>

    This message can be verified via the following PGP key, which can be
    corroborated on my ProPublica staff profile and other following links:

    pub 8192R/0xA993E7156E0E9923 2013-07-19 [expires: 2016-01-02]
    Key fingerprint = 4034 E60A A782 7C5D F21A 89AA A993 E715 6E0E 9923
    uid [ultimate] Mike Tigas <[email protected]>
    uid [ultimate] Mike Tigas <[email protected]>
    sub 8192R/0xECB867297E745064 2013-12-24 [expires: 2016-01-02]
    sub 8192R/0xB09CCE88E55F7656 2013-07-19 [expires: 2016-01-02]

    https://s3.amazonaws.com/propublica/assets/pgp/mike_tigas-4034E60AA7827C5DF21A89AAA993E7156E0E9923.txt
    https://mike.tig.as/pubkey_6E0E9923.txt
    http://p80.pool.sks-keyservers.net/pks/lookup?op=get&search=0x4034E60AA7827C5DF21A89AAA993E7156E0E9923
    https://www.propublica.org/site/author/mike_tigas
    https://mike.tig.as/
    https://twitter.com/mtigas
    https://keybase.io/mtigas
    -----BEGIN PGP SIGNATURE-----

    iQQcBAEBCgAGBQJUf4TOAAoJEKmT5xVuDpkj4aAgAJDO4ThE15v5HAjL1E8ZVFVE
    oU0z7VDLITnpUe29hj0kkBbbx0Zy7LVjWl2GhAntMFurJ2AkSnzq0z3BED+m6x61
    /wSWlTnCMoC9h74A/LmPhwM5HICop3TYUJTZWyKyHRdO81uSEb9dZPk/p4rlyyaq
    qXJ9Uk/qoiRXJvumEPOeTwSD5w9JQFZf7RbfNiwB3gb6oECRgWZUb7drLAeJkc5/
    Ze1sx9ZwVEOTKBy5Be70Y0aW7Vey8t2WMwI2844/CjinP9PFQQt2nnvsJ2iNF1En
    9rPiGzwVfuoZVGw+p8uEY0gro3FAHk24zxywC0QCW9h29F8OXeqP5GLKUQwu3Wq/
    kG77BFpO+oaIVm8KnTE80fhSZSK8vvU/J0EPsnW2eaGU8aXXUxLcEYgi4/vmf6TZ
    4oKi/k3DIoJ80slPQID1NxcamIGhfX4tKqsGYwQGGiH+t2GHqrxx78AL0oJC5ODi
    TaMBKLadiqRn5cTPU5spKAAMwegqaFxLHl9vF2mb1bE19nnIiNFTeDWQ6e8eokhV
    ymhOSkc6i9DJCX8EHffw/zhHuwZtSL2IGp2Q/70gXb6T6fnwmeu4a1EClEMCmQPV
    R3mKfXPfgSS5mn1aiHMDWuTbk5Q2zLcgxjy0nrmjTP/xw7X1q4HaCrvzDUwOJdd5
    9TZAzn/JqBHEYZYg4aJhPtWBKNqCNhNyV3fH+BEcChq8rJCJIa6zDa703OAWrBHP
    6D2K4R5o50dYwo3Y9DIBeJt8juGNP6O7IdhsifjkOupiRST4wibea5YKVW6v7EW/
    IdNO+GofLawM1p204rifuCoQO72Ag/6KVJHUTb0wzJV0521DzCzbbEzVqV/rIdVK
    mENuNi/NInqDyzKic5cxYaNgj7NJYZ6y3g+zYxIMyEwOsqgW5AeR+YBrqwMmd+ou
    WhCWChQgxgH4nr9ZhQqAXPwq1D0RQyn002uNQtY90jwVMHklHTjaT5rGLFcsqVMk
    X5V4/Zp/ruqy5aIXMafF3cy4Hw5bhbL+mmCfCXlkWBwJj1yKipou0JyZqeNsMmWC
    tZi44zjIhHWUVTYPcdYCuAgcJBbMtHzJJ4uJCZoCarOAzfGYYKZcYnecap6OQ5qn
    z7iZYoRu/udCyLBN6klcSuo50RX2lna2ncENT/aDpYDbUpKGxlHxZQzq2vI0f2al
    uvd2SkHcVTluYV1T5iGw/8d09Lbk6o5GzSRWW6z4adkN/FsTj02Ort0XvgBJDeAd
    ZlK45xTwhtLuPV8E1i7KoRgoG0SWZf2WnuirHiJxMNRPLOPkgAYyxHpdSEgxkIv8
    tFesSUjMUYidzXj/wGtO1C6Yl+dOqBAR/WV/bezr/pz5WjJguxOUs5mv+EI7o1o=
    =+CsO
    iQQcBAEBCgAGBQJU/1+5AAoJEOy4Zyl+dFBkIf0f/1EPNdvomhG+HZ/PAkayNIWg
    vyYmGIrLNYohDaowkDE95sdG/9zlAfdq7R7BL1q998uhgkciEwpVbLUSII/is4n7
    Mfr1HQFfqxqfH/T+VJVVe99pUQfEKgc0XwWGUgNdlNjEwf2/CBQquYRS5eKF7qN6
    J0vb/qXzSbITDoBzgdM4SRGLHFe2Op5PM72AACRQLDVHnQEaSi1vxzPTZ9Quk7Iq
    2KBHL0DMQPrEj5EPLh69CJq5ApEqS7UqW8pPpLxvqFEBnurQeRBM17Zlas4evLLm
    +yDTAcxEYhrwAzzEoxLTEDJfyqjw/V6olh7+9KPLkho5TonopbKkfgivIoEwc7zo
    7nFwdlqumBXCNztUCx2iMGQG1k13lAOZoaet0nHV+NcEjpWYWoEh2KyewzLnh5jU
    /Qf0DrnfmycIqkTdcR4+Yims5s/FEo/tq7XebR9CGOFf5ycjCtEL3/NzfI5Jt8Wp
    5LDOlRzCT3auvsXTPTEKRbVunw2fJpIgmVXkN3/j++H8IxZMbmS6q/BZbuzeyX4I
    Ny1/fqsP1znJz8ERX40lrcbTjmte7TjnG8GNvDo5in8ssx6ljwNITwMmu9EUSw0I
    9jrAHgPNF223pfX9wQaXtcXLqM+mnG4ZwMVMJjnwDUOrlzAAmPprtcXNnvHgU0io
    Mbv3wRGFBwMAr9g/mtu4LC8G7LSYkM9MzIl6c0qgrdKeR/RcmhNJa4BqCDCXbUb0
    1RuvosNfkdQNxFR+w3jqrXEEhN1ekE3AlkzN5VsEPTuFUOLm+FDN1Ctake4vwgee
    J/xE3jIowaC9tN2IsDg8m7FF7alPqI3yccgbZjfH9J+Rwxn1brrwStN6NcRn/HXh
    Z+uokX8G+FrKHz3NOn+/RAIiQXSbP6rrXMYzF3cSA+/6xPWVrMumBQUgWaSRVWlO
    kjPy4AIXhCQbAQFSKRkDOFlgP+D7BwJfh+z1LbilFIvheYXNgDutHZBIjzpHe5dv
    pJUTWisQehwPImgxqb10bMFO41ID7a/tEFzxCux/+RIQatukVm5eoRdRnIPZHPk8
    WjEDCZVUNi5d7kTOJp5bWvFCK7ex1Z0o5sdMbpyBPu5PNeo8HTNVlX/Ba6lljouT
    Jb9szG2gqyn9NRtQcZWoYWnoPmzz7Cdl3lrVWShbKBHZVgO3y2TXrK7uzHhoeDtJ
    D+Pzjef/9jFu2n6nJv4yEugk7gjKImXoVPv0tA2NpFfum+u5XheD+gmi/uGm1eh3
    hEIAUEUVT+Fb7bPR7WOd78Cm7WKU/Y69I4VX3VCHeP/S8HJxpvJj3bJeTMxainxH
    yG7Qnej2SDbPHtBcioTwd7NNUVt/f7bZ3sSBloH7cSXlRBbS9SonrV8r19lFUJ8=
    =n2JK
    -----END PGP SIGNATURE-----
  6. mtigas revised this gist Mar 10, 2015. 2 changed files with 70 additions and 43 deletions.
    75 changes: 43 additions & 32 deletions 1-tls
    View file
    Original file line number Diff line number Diff line change
    @@ -4,15 +4,6 @@ Hash: SHA512
    The following are the SSL certificate fingerprints for the
    propublica.org servers as of 2015-03-10.

    This document is signed with Mike Tigas' PGP key (8192R/0x6E0E9923,
    fingerprint 4034 E60A A782 7C5D F21A 89AA A993 E715 6E0E 9923), which
    you can download at any of the following:
    https://s3.amazonaws.com/propublica/assets/pgp/mike_tigas-4034E60AA7827C5DF21A89AAA993E7156E0E9923.txt
    https://mike.tig.as/pubkey_6E0E9923.txt
    http://p80.pool.sks-keyservers.net/pks/lookup?op=get&search=0x4034E60AA7827C5DF21A89AAA993E7156E0E9923

    ==============================

    Common Name: www.propublica.org
    notBefore=Jul 7 00:00:00 2014 GMT
    notAfter=Jul 7 23:59:59 2015 GMT
    @@ -62,29 +53,49 @@ MD5 Fingerprint=A3:5B:22:74:72:A7:89:B0:E7:EC:92:DC:1F:0B:0D:E9
    SHA1 Fingerprint=E7:C9:AF:C7:79:3D:5F:A9:06:A5:95:20:E1:AE:87:B7:25:C4:AA:DE
    SHA256 Fingerprint=05:77:35:B1:ED:5C:15:5F:4D:EB:AF:E1:99:6A:E0:32:EE:D0:80:9F:32:8C:FC:AA:F4:9E:04:57:06:CA:DF:27

    ==============================

    This message can be verified via the following PGP key, which can be
    corroborated on my ProPublica staff profile and other following links:

    pub 8192R/0xA993E7156E0E9923 2013-07-19 [expires: 2016-01-02]
    Key fingerprint = 4034 E60A A782 7C5D F21A 89AA A993 E715 6E0E 9923
    uid [ultimate] Mike Tigas <[email protected]>
    uid [ultimate] Mike Tigas <[email protected]>
    sub 8192R/0xECB867297E745064 2013-12-24 [expires: 2016-01-02]
    sub 8192R/0xB09CCE88E55F7656 2013-07-19 [expires: 2016-01-02]

    https://s3.amazonaws.com/propublica/assets/pgp/mike_tigas-4034E60AA7827C5DF21A89AAA993E7156E0E9923.txt
    https://mike.tig.as/pubkey_6E0E9923.txt
    http://p80.pool.sks-keyservers.net/pks/lookup?op=get&search=0x4034E60AA7827C5DF21A89AAA993E7156E0E9923
    https://www.propublica.org/site/author/mike_tigas
    https://mike.tig.as/
    https://twitter.com/mtigas
    https://keybase.io/mtigas

    -----BEGIN PGP SIGNATURE-----

    iQQcBAEBCgAGBQJU/1k1AAoJEOy4Zyl+dFBkOhMf/0+CdX2FqM6v5GEgJQ5MbQQJ
    7zIViS3RZdbkZ3FWTPG37I9mXgzIkTUIUjZmKRmKUdelUAHcQBIyGvK1s2kAtZGD
    bktfWbifiaG4fj7DBTWNpd3qqhYMIQoVXFlVCPLYOCrXg7Txg34NsFT7TJxIfqHa
    NqHkhOanJU4jrNCk5asxkG4FB9AjRhpMaxc6En0IRR6/LReK+F12LOXE92wv4KhP
    W2c2FAEhOdBw0jrp6KLCWS4Jj0KTDycF+wf5XnERi/MnTJog4V/RyZ3RRveyFOwE
    Odkd1fZMQ8sajtdB2aLbz2G/iyDiSKPaTlhxn3u+7Ub6YT+v/8TZ82jGqVw/+ecC
    dcbPwQD/HhzLA2Ob8dywguZ3JSpYd1hnX2epfbnCsLgaDECsum6Fy+8v9lmUx/+q
    tfOgjY9gp83O8vihO1oSFqvLQTo2ykCwhFSopped+gla+GySJecDIIZ2YG8fR/Ot
    vfL+tYt+RFCbOohabQjCLQjWtu9kt0MWuRkK9oQp1okl231KYZ39AjbmFXhjTWHt
    oIe7bAgXMCXUNTRW9ztoJ6W0FTqLOWEE4bvQgr76pGIrTq293EV11MkQQUikircu
    h2hM2/nJcDykMev+yjvG6dXZmayEqWZjR6YaUZpz20gjy56TwzfbaUmi9ayQFRI3
    8cPoxsXiD72e4BtakKP7HEvUih3ndiwTuCd/Z7Qioo3nVN/xRF79GDMQXv2Jmy87
    KgM6KbIqpvuJWRWkkcg2u7RmnmKRqhJensJGnQH18urcYfiYhjtyGc1+PsKpvcaN
    zojSarBW4nuXq5gdpastepwmSAS9j+170XhudqSnhoqirftfP0H0U7xPhO/R0f3Y
    g8sVzv8mfTPI1gNRT4oE98/0ajRZ/817eM0dm3UA2tg7jp/YSnHcDwhsiZbY1/gJ
    i04geNYaTD+qazwxmpW3rqG3YfN5dh9F5c/IUn5Q6qeZebNOeO/SBxNjxYBDwnj6
    76WhEJJfM3DSVMXy+iVlzXDwQ+OCRqz5AVw+2easXjSfT8zMS0j0EKU8Kp1xUnIB
    wgLtA5/MK9JMbetFeuDes6eNKbPPFXg0WUjL+nc38Sjb4jyECtc9Y60SPQjIDVl0
    0sSzimm1T3i5Nd4cHlOYbwfh+NACMvKzqzsduBj2Sip3QsPUQSv7pQIO5AcCuCzs
    MZAlg0wa5ZcwPrHV+shj2Xw2orYlk/N4YkNaaHBLJR6d8CJKk8onI2+atrc7y9zT
    j90xeD4vOnXMII62GriWC8u626D4f6wMuUgGBiw8Gzq59hp1tV246pnqmpsJ1LMu
    UzoiRfeSr5qNYl6mBhLjNb98bmcrWhyTnPH/oKk8czUAukpwHfqlDvn5YEdZWWE=
    =91iI
    iQQcBAEBCgAGBQJU/19xAAoJEOy4Zyl+dFBk9Jsf/ii9bj/2vFlLGbdktUj7ckZJ
    6ypVyA1e3rrIAGxxWOgiTmAO0GNvh1a1JkoCBg20kLVk/FlV73GAGcSgw3g1gL8K
    iRZiIdw0/+//00L7gN+KAYlDLzjuQHPiHgbF3yIBKZUlqzgHDfE7Ul3G8al31I+v
    Lg2KbJgoY1xnvFFVUSiAMF+ToIhC0Np86+uR/g6nU76FNv2RX7YmHkN6KhUxmJAE
    dV2d8BGcrs6hvkVq23JlR+pSDdobqdSoZ3hjxLRNzbaWd74YQwAj4LNYYXJfJ4X5
    XuVE0hdPOv5W/Bil9xu2h1g9vN4VccOoRrhsyEvVdDgaEfj8MsgHXKEEwyiLWOp7
    r6xRWEQXt2IJHgSwxVfpOHGPE5IFgXWK3GwcJzKWBIRgFkmhWH8UE5XsNxwFUG17
    KUER5GOQxe5vjMKe1hkjaHWulU97NlyRPaYuVJ3L0D5R7X+jgT/H6ytEHxkUAgc4
    qkjpQZjfleH1NSOoLQCTJrg0H1s8y7EXc/5duo9dNH/WPTeiYmo+qlZ2iSKRByF4
    +eCSMCEsQ3Dc4ZIg6E3VmzH0AKdKvn2U7iJvxsz3fxKhOcaQ8oc+yPdB6X3IOH6K
    thR4SHiKiFRH2fwLGX6KYuPqFFskCNDi296cbQbvk28jUtz21kCdL0r73uFMHrdb
    Fy5EVvctrqGtZmFcPm0NlS1vPofOynddcEaT57HPhWOVpFPgZlJ6Bx+2APEOuc7o
    EEOHsz+nNWpxtGHN6/K1Ulpx1W4PCP/FPH8/fGoOVgFP1+Pb5qEw9X1ApK0U9+zj
    sPZJNE6TCJTg5A4MZb8LT6BwU8zmJcISr8PUZhAHRrM8doxxIAEUoXt/vDBb6Ord
    BspV7MpBo9DYAYglPuz+ilyyl+oC29lyCr5UzeAm+74nAdddqyqd13m4Ge52WwDr
    pRKF+MXxBR+GnME1U/f5hyv+8OJB7GIQJUR6UOTJXe3XKaCAyaXDpTfJBEYVxG89
    wJP8Fbk68UYKNIoWxlTetVtFdbEhGONRGBwP5sMGwtTRJepQG4wEoBr2Y6Zf/5ut
    dDaAR2yml2a3aJTKjRQTTL+S8e5oSCaEGh0i5SW8vfn4GsEog42tw3iQIkQdD579
    sZLAEtkwk6RFVxe2w8AF9769WUBcsAY82wO3+SYiJBEhacTF/gjylBsUe3ErPulu
    irqhGTpBtAm/eCz8u7DOJslbLDh7dy3MthhLKXEyRczDUKbN/BfDCBdKxdqKPRzl
    qwdUNvO0IWj5WYdtE05wClsCIEqxTjJGsDUJRXRv1hYAqREu7PBRS6KHMutb3LlU
    jLKKtOWqhEFeQTvcLOn+Cy7B5p85U9ZWvZuzeVc0qh5BBYcLq+E4NccCxLyvkl8=
    =boXg
    -----END PGP SIGNATURE-----
    38 changes: 27 additions & 11 deletions z-certs.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -1,24 +1,16 @@
    #!/bin/bash
    export PATH=`brew --prefix curl`/bin:`brew --prefix openssl`/bin:`brew --prefix gnupg2`/bin:$PATH
    /usr/local/opt/curl/bin/curl -k -Lo /tmp/ca-bundle.crt https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt

    SITES="www.propublica.org projects.propublica.org static.propublica.org securedrop.propublica.org"
    /usr/local/opt/curl/bin/curl -k -Lo /tmp/ca-bundle.crt https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt

    tee /tmp/certs.txt << EOF1
    The following are the SSL certificate fingerprints for the
    propublica.org servers as of `date +"%Y-%m-%d"`.
    This document is signed with Mike Tigas' PGP key (8192R/0x6E0E9923,
    fingerprint 4034 E60A A782 7C5D F21A 89AA A993 E715 6E0E 9923), which
    you can download at any of the following:
    https://s3.amazonaws.com/propublica/assets/pgp/mike_tigas-4034E60AA7827C5DF21A89AAA993E7156E0E9923.txt
    https://mike.tig.as/pubkey_6E0E9923.txt
    http://p80.pool.sks-keyservers.net/pks/lookup?op=get&search=0x4034E60AA7827C5DF21A89AAA993E7156E0E9923
    ==============================
    EOF1

    SITES="www.propublica.org projects.propublica.org static.propublica.org securedrop.propublica.org"

    for SITE in ${SITES}; do
    echo -n | openssl s_client -connect ${SITE}:443 -servername ${SITE} -CAfile /tmp/ca-bundle.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/${SITE}.pem
    echo "Common Name: ${SITE}" >> /tmp/certs.txt
    @@ -53,6 +45,30 @@ openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha1 >> /tmp/ce
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha256 >> /tmp/certs.txt
    echo "" >> /tmp/certs.txt


    tee -a /tmp/certs.txt << EOF1
    ==============================
    This message can be verified via the following PGP key, which can be
    corroborated on my ProPublica staff profile and other following links:
    pub 8192R/0xA993E7156E0E9923 2013-07-19 [expires: 2016-01-02]
    Key fingerprint = 4034 E60A A782 7C5D F21A 89AA A993 E715 6E0E 9923
    uid [ultimate] Mike Tigas <[email protected]>
    uid [ultimate] Mike Tigas <[email protected]>
    sub 8192R/0xECB867297E745064 2013-12-24 [expires: 2016-01-02]
    sub 8192R/0xB09CCE88E55F7656 2013-07-19 [expires: 2016-01-02]
    https://s3.amazonaws.com/propublica/assets/pgp/mike_tigas-4034E60AA7827C5DF21A89AAA993E7156E0E9923.txt
    https://mike.tig.as/pubkey_6E0E9923.txt
    http://p80.pool.sks-keyservers.net/pks/lookup?op=get&search=0x4034E60AA7827C5DF21A89AAA993E7156E0E9923
    https://www.propublica.org/site/author/mike_tigas
    https://mike.tig.as/
    https://twitter.com/mtigas
    https://keybase.io/mtigas
    EOF1

    gpg --clearsign -u 0x4034E60AA7827C5DF21A89AAA993E7156E0E9923 /tmp/certs.txt

    cat /tmp/certs.txt.asc
  7. mtigas revised this gist Mar 10, 2015. 2 changed files with 29 additions and 25 deletions.
    50 changes: 26 additions & 24 deletions 1-tls
    View file
    Original file line number Diff line number Diff line change
    @@ -6,8 +6,10 @@ propublica.org servers as of 2015-03-10.

    This document is signed with Mike Tigas' PGP key (8192R/0x6E0E9923,
    fingerprint 4034 E60A A782 7C5D F21A 89AA A993 E715 6E0E 9923), which
    you can download here:
    you can download at any of the following:
    https://s3.amazonaws.com/propublica/assets/pgp/mike_tigas-4034E60AA7827C5DF21A89AAA993E7156E0E9923.txt
    https://mike.tig.as/pubkey_6E0E9923.txt
    http://p80.pool.sks-keyservers.net/pks/lookup?op=get&search=0x4034E60AA7827C5DF21A89AAA993E7156E0E9923

    ==============================

    @@ -62,27 +64,27 @@ SHA256 Fingerprint=05:77:35:B1:ED:5C:15:5F:4D:EB:AF:E1:99:6A:E0:32:EE:D0:80:9F:3

    -----BEGIN PGP SIGNATURE-----

    iQQcBAEBCgAGBQJU/1TbAAoJEOy4Zyl+dFBk4TIf/RHqGntj6zNTUCL6O4TO/HHq
    y7kEIwicZRorKNT1ytxU7Xdy9Q9cR3td3RnzVgm7jGHuRwaYNbIyIhuAf8O7Ba9Y
    N0r9gs/fuLHFCqpo55AqdyBQ+dmLKr1j03GkAEnzfchI9xehWSW8O38Ff9kNtPaq
    rFZBmEKAp7X6eRoMFYs7rgHNFiAXjFIv7MKxvCcg73n8naDSBa+gHrBkT/LM2gAl
    f1kSShDBKlad4lgKYTLTyK9LbJb90G6m8p9ORYR39ThjbE3b6YNFxLVkSpnOBbGH
    nRGAvGDO3GLeWYXYn0tBibUrLsuLs8k0dNsGrhkKSVl3tW7WRKn5J5tjcqTT59VS
    QxqA4zLp/9FNS2kZE2Rbeo7foUdx/3iAQup83LG6uf6Ufvb/70xo+m0hz5IMiLDz
    9mqGBO+3A261PhuQ1IafRSc+fy3AV1qpfKn30hbvj32P9rNXFxckgKztp3nKkv1m
    IxkByUcgbS2f8N1kfOtEhraxjitrsdx5ahvI8ZJCaWwC7FW7YE9s+p1yaKG6nlkQ
    YGmnMe/bEwLnP4Zs4IfAmyXxy0Cjd42P1kL7o94qKJ0EJi9q0mIcHticWsYZyDK6
    c86utFH6gAieMuTeZ8F+jWmJi5sJA4yYOXA3V2Gjk02sr+/inWOeudREtg5pi5Js
    tZOBgh+ZNn9eitVlRyS5bnfGVVODtq2/TxfoukTActgXRDodIQ/VHsW33jlojfaE
    KT8UMrK50PqluA3hKzPuYNBX1BUgMxZ0YIw6FxI+UVrHVfOXXkI4pnmMLVbye6f9
    pnGtzpASlNR5kvjWJ1yo9reHb0GXTmFytJw9Qm+7oxUz1umaHqysSuNj2gKb83y2
    GghuV5ms4NP9SxrgZQraPBADWorRClhQJo5IDzzM1eny+6NSHKHi/p5nKFwWYwsC
    4l9Nh/jOwNVHwDuHqeVf5HD3lmSoF8qoFEkgMy3zX1l4bIogSp6FgV0ITqg7giv2
    Wa3GixT7722y44f37yte/L1oBCMkNEWgeKgiBGNoKCa7vdzpPsRmzBlaW8dQiXNF
    0GJDIGTNMx+f04ldJSBFBPsZn4IitE9FGJXkToMUUFK7JT8J46G8vnwvvRolrPCB
    aBPAPjFQQ9A0Cj/79LrwA89WeD02qdOzzWdts50sJ3/MJy57fr4CSn1fYsXXEeE8
    5b+Gu42WGrItbGSWubjHsjExyI0dI0HfmYgGb7pIFZtu3bkXhYVEwPDf04m/DsA0
    rk5yjREvuEOlzVkE+1asa2c7KCd2x8xDr7gBV1AQr0zF8xVXCBUbKJBGTVSyemNs
    7lUfpQaQjXm7N8w01PY+0HuTpuBgApH2+HZvkBy4YBuP1PSI0L1KJd3BqJ3YKmE=
    =huZk
    iQQcBAEBCgAGBQJU/1k1AAoJEOy4Zyl+dFBkOhMf/0+CdX2FqM6v5GEgJQ5MbQQJ
    7zIViS3RZdbkZ3FWTPG37I9mXgzIkTUIUjZmKRmKUdelUAHcQBIyGvK1s2kAtZGD
    bktfWbifiaG4fj7DBTWNpd3qqhYMIQoVXFlVCPLYOCrXg7Txg34NsFT7TJxIfqHa
    NqHkhOanJU4jrNCk5asxkG4FB9AjRhpMaxc6En0IRR6/LReK+F12LOXE92wv4KhP
    W2c2FAEhOdBw0jrp6KLCWS4Jj0KTDycF+wf5XnERi/MnTJog4V/RyZ3RRveyFOwE
    Odkd1fZMQ8sajtdB2aLbz2G/iyDiSKPaTlhxn3u+7Ub6YT+v/8TZ82jGqVw/+ecC
    dcbPwQD/HhzLA2Ob8dywguZ3JSpYd1hnX2epfbnCsLgaDECsum6Fy+8v9lmUx/+q
    tfOgjY9gp83O8vihO1oSFqvLQTo2ykCwhFSopped+gla+GySJecDIIZ2YG8fR/Ot
    vfL+tYt+RFCbOohabQjCLQjWtu9kt0MWuRkK9oQp1okl231KYZ39AjbmFXhjTWHt
    oIe7bAgXMCXUNTRW9ztoJ6W0FTqLOWEE4bvQgr76pGIrTq293EV11MkQQUikircu
    h2hM2/nJcDykMev+yjvG6dXZmayEqWZjR6YaUZpz20gjy56TwzfbaUmi9ayQFRI3
    8cPoxsXiD72e4BtakKP7HEvUih3ndiwTuCd/Z7Qioo3nVN/xRF79GDMQXv2Jmy87
    KgM6KbIqpvuJWRWkkcg2u7RmnmKRqhJensJGnQH18urcYfiYhjtyGc1+PsKpvcaN
    zojSarBW4nuXq5gdpastepwmSAS9j+170XhudqSnhoqirftfP0H0U7xPhO/R0f3Y
    g8sVzv8mfTPI1gNRT4oE98/0ajRZ/817eM0dm3UA2tg7jp/YSnHcDwhsiZbY1/gJ
    i04geNYaTD+qazwxmpW3rqG3YfN5dh9F5c/IUn5Q6qeZebNOeO/SBxNjxYBDwnj6
    76WhEJJfM3DSVMXy+iVlzXDwQ+OCRqz5AVw+2easXjSfT8zMS0j0EKU8Kp1xUnIB
    wgLtA5/MK9JMbetFeuDes6eNKbPPFXg0WUjL+nc38Sjb4jyECtc9Y60SPQjIDVl0
    0sSzimm1T3i5Nd4cHlOYbwfh+NACMvKzqzsduBj2Sip3QsPUQSv7pQIO5AcCuCzs
    MZAlg0wa5ZcwPrHV+shj2Xw2orYlk/N4YkNaaHBLJR6d8CJKk8onI2+atrc7y9zT
    j90xeD4vOnXMII62GriWC8u626D4f6wMuUgGBiw8Gzq59hp1tV246pnqmpsJ1LMu
    UzoiRfeSr5qNYl6mBhLjNb98bmcrWhyTnPH/oKk8czUAukpwHfqlDvn5YEdZWWE=
    =91iI
    -----END PGP SIGNATURE-----
    4 changes: 3 additions & 1 deletion z-certs.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -10,8 +10,10 @@ propublica.org servers as of `date +"%Y-%m-%d"`.
    This document is signed with Mike Tigas' PGP key (8192R/0x6E0E9923,
    fingerprint 4034 E60A A782 7C5D F21A 89AA A993 E715 6E0E 9923), which
    you can download here:
    you can download at any of the following:
    https://s3.amazonaws.com/propublica/assets/pgp/mike_tigas-4034E60AA7827C5DF21A89AAA993E7156E0E9923.txt
    https://mike.tig.as/pubkey_6E0E9923.txt
    http://p80.pool.sks-keyservers.net/pks/lookup?op=get&search=0x4034E60AA7827C5DF21A89AAA993E7156E0E9923
    ==============================
  8. mtigas revised this gist Mar 10, 2015. 3 changed files with 144 additions and 0 deletions.
    88 changes: 88 additions & 0 deletions 1-tls
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,88 @@
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    The following are the SSL certificate fingerprints for the
    propublica.org servers as of 2015-03-10.

    This document is signed with Mike Tigas' PGP key (8192R/0x6E0E9923,
    fingerprint 4034 E60A A782 7C5D F21A 89AA A993 E715 6E0E 9923), which
    you can download here:
    https://s3.amazonaws.com/propublica/assets/pgp/mike_tigas-4034E60AA7827C5DF21A89AAA993E7156E0E9923.txt

    ==============================

    Common Name: www.propublica.org
    notBefore=Jul 7 00:00:00 2014 GMT
    notAfter=Jul 7 23:59:59 2015 GMT
    MD5 Fingerprint=83:E3:9D:2C:28:34:8D:9E:65:79:90:22:E8:71:3C:6F
    SHA1 Fingerprint=90:82:5A:80:DE:4C:64:67:DA:F5:11:73:39:AF:79:CE:0E:E8:E5:59
    SHA256 Fingerprint=B2:4B:1E:C2:59:E8:DF:72:62:A0:74:D0:26:02:29:43:4C:14:46:1A:78:02:6D:A3:AE:34:B3:FF:54:F1:7F:A0

    Common Name: projects.propublica.org
    notBefore=Nov 18 00:00:00 2014 GMT
    notAfter=Nov 23 12:00:00 2015 GMT
    MD5 Fingerprint=BD:39:56:49:09:E7:A0:E1:15:90:79:56:37:6C:6E:A8
    SHA1 Fingerprint=3C:2A:32:B2:BA:2C:88:FC:84:32:A1:25:98:6A:DB:C4:8C:43:81:FC
    SHA256 Fingerprint=83:10:33:D5:CE:12:38:7B:1C:32:D2:C9:B2:A3:5D:BE:2C:06:EA:82:87:1E:CD:AA:E3:1D:09:32:AB:13:26:CC

    Common Name: static.propublica.org
    notBefore=Oct 31 00:00:00 2014 GMT
    notAfter=Oct 31 23:59:59 2015 GMT
    MD5 Fingerprint=46:B8:1B:6C:3A:D6:CD:73:29:4E:8B:47:29:97:39:E9
    SHA1 Fingerprint=24:89:7B:4D:57:5A:04:09:E7:9D:05:48:74:4A:39:ED:4C:5E:27:82
    SHA256 Fingerprint=7E:CB:B6:53:C8:2E:95:40:DC:4B:6E:6B:AC:CD:21:10:AE:8F:0C:0D:BF:8B:18:AD:60:0F:D6:0F:4C:9B:5E:9D

    Common Name: securedrop.propublica.org
    notBefore=Jan 19 22:35:09 2014 GMT
    notAfter=Jan 22 11:56:54 2017 GMT
    MD5 Fingerprint=E5:3D:80:2D:A0:70:68:36:B9:C6:03:EB:DA:A4:C6:CC
    SHA1 Fingerprint=33:03:99:09:7E:D3:83:E4:AC:48:54:E4:89:19:2D:47:68:61:7A:B5
    SHA256 Fingerprint=47:F2:2F:33:83:62:FE:02:10:61:69:73:3D:78:77:AB:35:1B:F5:96:2C:08:A4:EF:C2:5F:5A:26:1F:F5:19:95

    Common Name: propub3r6espa33w.onion (www.propublica.org hidden service mirror - self-signed SSL)
    notBefore=Dec 3 20:33:38 2014 GMT
    notAfter=Dec 3 20:33:38 2015 GMT
    MD5 Fingerprint=43:03:6C:B4:63:83:27:7A:83:61:16:46:08:71:E9:09
    SHA1 Fingerprint=BE:7F:C0:DE:73:64:23:E0:7B:D5:04:47:59:B3:7E:27:F0:52:E0:5B
    SHA256 Fingerprint=CD:74:43:31:C5:5A:0F:33:A7:F7:E0:1F:54:60:9A:AB:07:2F:95:8D:6A:9A:F8:07:93:6F:4D:23:52:B1:F3:0F

    Common Name: pubapp7v22ykdou3.onion (projects.propublica.org hidden service mirror - self-signed SSL)
    notBefore=Dec 3 20:34:31 2014 GMT
    notAfter=Dec 3 20:34:31 2015 GMT
    MD5 Fingerprint=78:8B:F1:BB:4D:53:7B:35:5A:B5:DD:7F:62:29:3A:9D
    SHA1 Fingerprint=B9:FB:C6:42:58:0F:E6:D4:17:ED:C4:C6:8C:FC:A8:71:6A:68:35:92
    SHA256 Fingerprint=AD:90:21:82:D2:41:DB:56:EA:27:66:78:F8:9E:3C:05:49:65:06:17:C6:8F:5B:26:72:DA:5C:DB:A7:89:94:7D

    Common Name: ppasset42kropoy6.onion (static.propublica.org hidden service mirror - self-signed SSL)
    notBefore=Dec 3 20:21:40 2014 GMT
    notAfter=Dec 3 20:21:40 2015 GMT
    MD5 Fingerprint=A3:5B:22:74:72:A7:89:B0:E7:EC:92:DC:1F:0B:0D:E9
    SHA1 Fingerprint=E7:C9:AF:C7:79:3D:5F:A9:06:A5:95:20:E1:AE:87:B7:25:C4:AA:DE
    SHA256 Fingerprint=05:77:35:B1:ED:5C:15:5F:4D:EB:AF:E1:99:6A:E0:32:EE:D0:80:9F:32:8C:FC:AA:F4:9E:04:57:06:CA:DF:27

    -----BEGIN PGP SIGNATURE-----

    iQQcBAEBCgAGBQJU/1TbAAoJEOy4Zyl+dFBk4TIf/RHqGntj6zNTUCL6O4TO/HHq
    y7kEIwicZRorKNT1ytxU7Xdy9Q9cR3td3RnzVgm7jGHuRwaYNbIyIhuAf8O7Ba9Y
    N0r9gs/fuLHFCqpo55AqdyBQ+dmLKr1j03GkAEnzfchI9xehWSW8O38Ff9kNtPaq
    rFZBmEKAp7X6eRoMFYs7rgHNFiAXjFIv7MKxvCcg73n8naDSBa+gHrBkT/LM2gAl
    f1kSShDBKlad4lgKYTLTyK9LbJb90G6m8p9ORYR39ThjbE3b6YNFxLVkSpnOBbGH
    nRGAvGDO3GLeWYXYn0tBibUrLsuLs8k0dNsGrhkKSVl3tW7WRKn5J5tjcqTT59VS
    QxqA4zLp/9FNS2kZE2Rbeo7foUdx/3iAQup83LG6uf6Ufvb/70xo+m0hz5IMiLDz
    9mqGBO+3A261PhuQ1IafRSc+fy3AV1qpfKn30hbvj32P9rNXFxckgKztp3nKkv1m
    IxkByUcgbS2f8N1kfOtEhraxjitrsdx5ahvI8ZJCaWwC7FW7YE9s+p1yaKG6nlkQ
    YGmnMe/bEwLnP4Zs4IfAmyXxy0Cjd42P1kL7o94qKJ0EJi9q0mIcHticWsYZyDK6
    c86utFH6gAieMuTeZ8F+jWmJi5sJA4yYOXA3V2Gjk02sr+/inWOeudREtg5pi5Js
    tZOBgh+ZNn9eitVlRyS5bnfGVVODtq2/TxfoukTActgXRDodIQ/VHsW33jlojfaE
    KT8UMrK50PqluA3hKzPuYNBX1BUgMxZ0YIw6FxI+UVrHVfOXXkI4pnmMLVbye6f9
    pnGtzpASlNR5kvjWJ1yo9reHb0GXTmFytJw9Qm+7oxUz1umaHqysSuNj2gKb83y2
    GghuV5ms4NP9SxrgZQraPBADWorRClhQJo5IDzzM1eny+6NSHKHi/p5nKFwWYwsC
    4l9Nh/jOwNVHwDuHqeVf5HD3lmSoF8qoFEkgMy3zX1l4bIogSp6FgV0ITqg7giv2
    Wa3GixT7722y44f37yte/L1oBCMkNEWgeKgiBGNoKCa7vdzpPsRmzBlaW8dQiXNF
    0GJDIGTNMx+f04ldJSBFBPsZn4IitE9FGJXkToMUUFK7JT8J46G8vnwvvRolrPCB
    aBPAPjFQQ9A0Cj/79LrwA89WeD02qdOzzWdts50sJ3/MJy57fr4CSn1fYsXXEeE8
    5b+Gu42WGrItbGSWubjHsjExyI0dI0HfmYgGb7pIFZtu3bkXhYVEwPDf04m/DsA0
    rk5yjREvuEOlzVkE+1asa2c7KCd2x8xDr7gBV1AQr0zF8xVXCBUbKJBGTVSyemNs
    7lUfpQaQjXm7N8w01PY+0HuTpuBgApH2+HZvkBy4YBuP1PSI0L1KJd3BqJ3YKmE=
    =huZk
    -----END PGP SIGNATURE-----
    0 gistfile1.txt → 2-tor
    View file
    File renamed without changes.
    56 changes: 56 additions & 0 deletions z-certs.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,56 @@
    #!/bin/bash
    export PATH=`brew --prefix curl`/bin:`brew --prefix openssl`/bin:`brew --prefix gnupg2`/bin:$PATH
    /usr/local/opt/curl/bin/curl -k -Lo /tmp/ca-bundle.crt https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt

    SITES="www.propublica.org projects.propublica.org static.propublica.org securedrop.propublica.org"

    tee /tmp/certs.txt << EOF1
    The following are the SSL certificate fingerprints for the
    propublica.org servers as of `date +"%Y-%m-%d"`.
    This document is signed with Mike Tigas' PGP key (8192R/0x6E0E9923,
    fingerprint 4034 E60A A782 7C5D F21A 89AA A993 E715 6E0E 9923), which
    you can download here:
    https://s3.amazonaws.com/propublica/assets/pgp/mike_tigas-4034E60AA7827C5DF21A89AAA993E7156E0E9923.txt
    ==============================
    EOF1

    for SITE in ${SITES}; do
    echo -n | openssl s_client -connect ${SITE}:443 -servername ${SITE} -CAfile /tmp/ca-bundle.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/${SITE}.pem
    echo "Common Name: ${SITE}" >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/${SITE}.pem -dates >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/${SITE}.pem -fingerprint -md5 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/${SITE}.pem -fingerprint -sha1 >> /tmp/certs.txt
    openssl x509 -noout -in /tmp/${SITE}.pem -fingerprint -sha256 >> /tmp/certs.txt
    echo "" >> /tmp/certs.txt
    done

    SITE="propub3r6espa33w.onion"
    echo "Common Name: ${SITE} (www.propublica.org hidden service mirror - self-signed SSL)" >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -dates >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -md5 >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha1 >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha256 >> /tmp/certs.txt
    echo "" >> /tmp/certs.txt

    SITE="pubapp7v22ykdou3.onion"
    echo "Common Name: ${SITE} (projects.propublica.org hidden service mirror - self-signed SSL)" >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -dates >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -md5 >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha1 >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha256 >> /tmp/certs.txt
    echo "" >> /tmp/certs.txt

    SITE="ppasset42kropoy6.onion"
    echo "Common Name: ${SITE} (static.propublica.org hidden service mirror - self-signed SSL)" >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -dates >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -md5 >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha1 >> /tmp/certs.txt
    openssl x509 -noout -in /foo/bar/nginx/${SITE}.pem -fingerprint -sha256 >> /tmp/certs.txt
    echo "" >> /tmp/certs.txt

    gpg --clearsign -u 0x4034E60AA7827C5DF21A89AAA993E7156E0E9923 /tmp/certs.txt

    cat /tmp/certs.txt.asc
  9. mtigas created this gist Dec 3, 2014.
    54 changes: 54 additions & 0 deletions gistfile1.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,54 @@
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    As of December 3, 2014, these three `*.propublica.org` domains
    are mirrored by the following corresponding Tor hidden services:

    www.propublica.org | propub3r6espa33w.onion
    projects.propublica.org | pubapp7v22ykdou3.onion
    static.propublica.org | ppasset42kropoy6.onion

    And our SecureDrop instance (info: https://securedrop.propublica.org/
    and https://freedom.press/securedrop ) is located at:

    pubdrop4dw6rk3aq.onion

    This message can be verified via the following PGP key, which is
    also available on my ProPublica staff profile and the other following
    links:

    PGP public key: https://mike.tig.as/pubkey_6E0E9923.txt
    4034 E60A A782 7C5D F21A 89AA A993 E715 6E0E 9923
    uid Mike Tigas <[email protected]>
    uid Mike Tigas <[email protected]>

    https://www.propublica.org/site/author/mike_tigas
    https://mike.tig.as/
    https://twitter.com/mtigas
    https://keybase.io/mtigas
    -----BEGIN PGP SIGNATURE-----

    iQQcBAEBCgAGBQJUf4TOAAoJEKmT5xVuDpkj4aAgAJDO4ThE15v5HAjL1E8ZVFVE
    oU0z7VDLITnpUe29hj0kkBbbx0Zy7LVjWl2GhAntMFurJ2AkSnzq0z3BED+m6x61
    /wSWlTnCMoC9h74A/LmPhwM5HICop3TYUJTZWyKyHRdO81uSEb9dZPk/p4rlyyaq
    qXJ9Uk/qoiRXJvumEPOeTwSD5w9JQFZf7RbfNiwB3gb6oECRgWZUb7drLAeJkc5/
    Ze1sx9ZwVEOTKBy5Be70Y0aW7Vey8t2WMwI2844/CjinP9PFQQt2nnvsJ2iNF1En
    9rPiGzwVfuoZVGw+p8uEY0gro3FAHk24zxywC0QCW9h29F8OXeqP5GLKUQwu3Wq/
    kG77BFpO+oaIVm8KnTE80fhSZSK8vvU/J0EPsnW2eaGU8aXXUxLcEYgi4/vmf6TZ
    4oKi/k3DIoJ80slPQID1NxcamIGhfX4tKqsGYwQGGiH+t2GHqrxx78AL0oJC5ODi
    TaMBKLadiqRn5cTPU5spKAAMwegqaFxLHl9vF2mb1bE19nnIiNFTeDWQ6e8eokhV
    ymhOSkc6i9DJCX8EHffw/zhHuwZtSL2IGp2Q/70gXb6T6fnwmeu4a1EClEMCmQPV
    R3mKfXPfgSS5mn1aiHMDWuTbk5Q2zLcgxjy0nrmjTP/xw7X1q4HaCrvzDUwOJdd5
    9TZAzn/JqBHEYZYg4aJhPtWBKNqCNhNyV3fH+BEcChq8rJCJIa6zDa703OAWrBHP
    6D2K4R5o50dYwo3Y9DIBeJt8juGNP6O7IdhsifjkOupiRST4wibea5YKVW6v7EW/
    IdNO+GofLawM1p204rifuCoQO72Ag/6KVJHUTb0wzJV0521DzCzbbEzVqV/rIdVK
    mENuNi/NInqDyzKic5cxYaNgj7NJYZ6y3g+zYxIMyEwOsqgW5AeR+YBrqwMmd+ou
    WhCWChQgxgH4nr9ZhQqAXPwq1D0RQyn002uNQtY90jwVMHklHTjaT5rGLFcsqVMk
    X5V4/Zp/ruqy5aIXMafF3cy4Hw5bhbL+mmCfCXlkWBwJj1yKipou0JyZqeNsMmWC
    tZi44zjIhHWUVTYPcdYCuAgcJBbMtHzJJ4uJCZoCarOAzfGYYKZcYnecap6OQ5qn
    z7iZYoRu/udCyLBN6klcSuo50RX2lna2ncENT/aDpYDbUpKGxlHxZQzq2vI0f2al
    uvd2SkHcVTluYV1T5iGw/8d09Lbk6o5GzSRWW6z4adkN/FsTj02Ort0XvgBJDeAd
    ZlK45xTwhtLuPV8E1i7KoRgoG0SWZf2WnuirHiJxMNRPLOPkgAYyxHpdSEgxkIv8
    tFesSUjMUYidzXj/wGtO1C6Yl+dOqBAR/WV/bezr/pz5WjJguxOUs5mv+EI7o1o=
    =+CsO
    -----END PGP SIGNATURE-----