mdpauley / samizdat

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

samizdat: 3dp Defense SuperPAC

brought to you by d33pthought

about

what is this

  • 3d printed firearm & firearm accessory models - for now nearly all from deterrence dispensed public pages
  • verification signatures for models
  • literature related to 3dp defense

why is this

  • organization: it's hard for even long-standing community members to find content given patchwork disparate sources for related files
  • security: reduce community attack surface by signing files
  • redundancy: more sources makes it harder to censor content
  • replicability: git infrastructure makes it easy to clone & modify in organized fashion
  • forkability: if you want to modify/adapt you can have it your way
  • git architecture well-balances advantages of centralization (replicability) & decentralization (forkability)
  • freshness: fosscad is fantastic but is not frequently updated & contains stale models that make the repo much larger
  • this doesn't exist yet

but but but

  • "but this isn't needed!" - then don't use it
  • "but simple hashes are as good as PGP ring signatures!" - no, they're absolutely not

models

pistol frames by manufacturer pattern

rifle / subgun receivers

hybrid/custom builds

magazines

other

verification

PGP ain't perfect, but it's useful. It can be used to increase confidence you are working with valid model files that haven't been tampered with. The details of installation/use will vary depending on computer platform (duckduckgo is your friend). Examples below are those that work in a modern linux environment.

  • detached model signatures are included in this repo with a file hierarchy mirroring the repo files. also included are sigs for the zips that are listed on Ivan's pages
  • public pgp keys:
    • d33pthought:
      • github key: 6B2062CCB178107C9FC3CA3209978FA36F146505
      • github signing subkey: 10DBC5509AF9E4DE58A7937C21A5E4B5F4209362
      • keybase: 85C2CE700955C042689F32CFC8597C06BED287DA
    • ctrlpew: 7E661D686F0CDA8B
      • downloaded via keybase in early Jan 2020 - no additional verification performed
      • (ctrlpew is only det_disp admin with listed public pgp key)

Overview:

  • start with file to verify, a signature that corresponds that file, and the public key used to create the signature
  • use the verified signature to check if the file is valid

Steps:

  • obtain public key of signer
    • e.g. obtain d33pthought's public key from github repo, keybase, and another trusted individual and notice that it's the same from all sources. in this repo it is contained within the public_keys directory
  • import the public key:
    • gpg --import PUBLIC_KEY
    • this adds the public key to your local public key ring (a collection of public keys)
  • check that it's imported and note the key's keyid:
    • gpg --list-keys --with-subkey-fingerprint
  • check the file against the signature
    • gpg --verify SIGNATURE_FILE FILE_TO_VERIFY
    • e.g. for f17 stl from this repo's root directory: gpg --verify 01_verification/detached_model_signatures/02_pistols/f17_d33p_ffmu/models/f17_d33p_ffmu.stl.asc 02_pistols/f17_d33p_ffmu/models/f17_d33p_ffmu.stl
    • similar to verifying the signature, in the output should be:
      • using key - with the appropriate keyid
      • "Good signature"

When is this useful? If you obtain the file, signature, and key from the same source then this is pointless because all three could have been tampered with. If you obtain the public key from a trusted source then this procedure provides a degree of confidence that the file has not been tampered with.

literature

links

About