-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathintegrity.texi
34 lines (27 loc) · 1.27 KB
/
integrity.texi
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
You @strong{have to} verify downloaded tarballs authenticity to be sure
that you retrieved trusted and untampered software. There are two options:
@table @asis
@item @url{https://www.openpgp.org/, OpenPGP} @file{.asc} signature
Use @url{https://www.gnupg.org/, GNU Privacy Guard} free software
implementation.
For the very first time it is necessary to get signing public key and
import it. It is provided @url{PUBKEY-PGP.asc, here}, but you should
check alternate resources.
@verbatim
pub rsa2048/0x82343436696FC85A 2016-09-13
CEBD 1282 2C46 9C02 A81A 0467 8234 3436 696F C85A
uid GoGOST releases <gogost at cypherpunks dot ru>
@end verbatim
@example
$ gpg --auto-key-locate dane --locate-keys gogost at cypherpunks dot ru
$ gpg --auto-key-locate wkd --locate-keys gogost at cypherpunks dot ru
@end example
@item @url{https://www.openssh.com/, OpenSSH} @file{.sig} signature
@url{PUBKEY-SSH.pub, Public key} and its OpenPGP
@url{PUBKEY-SSH.pub.asc, signature} made with the key above.
Its fingerprint: @code{SHA256:u8X9rPDOhxpyzGs/IugbxXbDeOu/0AttKY+LGAvHBH0}.
@example
$ ssh-keygen -Y verify -f PUBKEY-SSH.pub -I gogost@@cypherpunks.ru -n file \
-s gogost-@value{VERSION}.tar.zst.sig < gogost-@value{VERSION}.tar.zst
@end example
@end table