Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: update core install verification #335

Merged
merged 5 commits into from
Jan 18, 2024
Merged

docs: update core install verification #335

merged 5 commits into from
Jan 18, 2024

Conversation

thephez
Copy link
Collaborator

@thephez thephez commented Jan 17, 2024
edited
Loading

@thephez thephez force-pushed the v20-core-install-updates branch from 131ccb1 to c821ce0 Compare January 17, 2024 17:05
@PastaPastaPasta
Copy link
Member

I think it would be valuable to create a signature on this key to make the output messages better. On macOS / linux this would look like

gpg --quick-lsign-key "29590362EC878A81FD3C202B52527BEDABE87984" || (gpg --quick-generate-key `whoami` && gpg --quick-lsign-key "29590362EC878A81FD3C202B52527BEDABE87984")

(tries to quick sign key; if we can't that probably means we don't have a private key, so generate one then re-sign)

On windows this can be done in kleopatra via the "certify key" option

if you certify the validation looks like

root@b0b541f146d6:/# gpg --verify dashcore-20.0.4-x86_64-apple-darwin.dmg.asc 
gpg: assuming signed data in 'dashcore-20.0.4-x86_64-apple-darwin.dmg'
gpg: Signature made Fri Jan 12 17:26:20 2024 UTC
gpg:                using RSA key 29590362EC878A81FD3C202B52527BEDABE87984
gpg: Good signature from "Pasta <[email protected]>" [full]

if you don't certify it looks like this; more scary as it kinda should be

root@9b4f06458392:/# gpg --verify dashcore-20.0.4-x86_64-apple-darwin.dmg.asc 
gpg: assuming signed data in 'dashcore-20.0.4-x86_64-apple-darwin.dmg'
gpg: Signature made Fri Jan 12 17:26:20 2024 UTC
gpg:                using RSA key 29590362EC878A81FD3C202B52527BEDABE87984
gpg: Good signature from "Pasta <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2959 0362 EC87 8A81 FD3C  202B 5252 7BED ABE8 7984

@thephez
Copy link
Collaborator Author

thephez commented Jan 17, 2024
edited
Loading

I think it would be valuable to create a signature on this key to make the output messages better. On macOS / linux this would look like

gpg --quick-lsign-key "29590362EC878A81FD3C202B52527BEDABE87984" || (gpg --quick-generate-key `whoami` && gpg --quick-lsign-key "29590362EC878A81FD3C202B52527BEDABE87984")

(tries to quick sign key; if we can't that probably means we don't have a private key, so generate one then re-sign)

On windows this can be done in kleopatra via the "certify key" option

if you certify the validation looks like

root@b0b541f146d6:/# gpg --verify dashcore-20.0.4-x86_64-apple-darwin.dmg.asc 
gpg: assuming signed data in 'dashcore-20.0.4-x86_64-apple-darwin.dmg'
gpg: Signature made Fri Jan 12 17:26:20 2024 UTC
gpg:                using RSA key 29590362EC878A81FD3C202B52527BEDABE87984
gpg: Good signature from "Pasta <[email protected]>" [full]

if you don't certify it looks like this; more scary as it kinda should be

root@9b4f06458392:/# gpg --verify dashcore-20.0.4-x86_64-apple-darwin.dmg.asc 
gpg: assuming signed data in 'dashcore-20.0.4-x86_64-apple-darwin.dmg'
gpg: Signature made Fri Jan 12 17:26:20 2024 UTC
gpg:                using RSA key 29590362EC878A81FD3C202B52527BEDABE87984
gpg: Good signature from "Pasta <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2959 0362 EC87 8A81 FD3C  202B 5252 7BED ABE8 7984

I'm conflicted on this. More steps = less likely that someone is going to actually do it. I also don't like auto-creating a key for someone to avoid that message. Provided someone actually looks at the fingerprint, certifying doesn't actually make anything safer.

The Windows instructions in particular need more work anyway (they lag because none of us actually use Windows). I'd prefer to merge this small cleanup PR and leave the rest for a separate thing. My Kleopatra updates are actually from Linux because I figured they're at least more accurate than the outdated ones that were there before.

Edit: I added a note to Linux/Mac about signing the key

UdjinM6
UdjinM6 approved these changes Jan 17, 2024
View reviewed changes
Copy link
Contributor

@UdjinM6 UdjinM6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@thephez thephez merged commit 51072bb into dashpay:20.0.0 Jan 18, 2024
@thephez thephez deleted the v20-core-install-updates branch January 18, 2024 14:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@UdjinM6 UdjinM6 UdjinM6 approved these changes

@PastaPastaPasta PastaPastaPasta Awaiting requested review from PastaPastaPasta

@strophy strophy Awaiting requested review from strophy

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@thephez @PastaPastaPasta @UdjinM6