X-Git-Url: http://www.git.cypherpunks.ru/?a=blobdiff_plain;f=doc%2Fintegrity.texi;h=5fda02f4ee259939ae6b7bc8f75aba38bc548546;hb=0e482169576b59168f44e509863e6b6acbca6f6d;hp=b9c6ff522b52b4b363a6cf93b201e19d518803fa;hpb=9a5ef6e33490971fc5af5538cdf98e800b692ea7;p=govpn.git diff --git a/doc/integrity.texi b/doc/integrity.texi index b9c6ff5..5fda02f 100644 --- a/doc/integrity.texi +++ b/doc/integrity.texi @@ -1,19 +1,40 @@ @node Integrity -@cindex Integrity -@cindex Tarball integrity -@cindex PGP -@cindex Public key @section Tarballs integrity check -You @strong{have to} verify downloaded archives integrity and check +You @strong{have to} check downloaded archives integrity and verify their signature to be sure that you have got trusted, untampered software. For integrity and authentication of downloaded binaries @url{https://www.gnupg.org/, The GNU Privacy Guard} is used. You must -download signature (@code{.sig}) provided with the tarball. +download signature (@file{.sig}) provided with the tarball. -For the very first time you need to import signing public keys. They -are provided below, but be sure that you are reading them from the -trusted source. Alternatively check this page from -@ref{Contacts, other sources} and look for the mailing list announcements. +For the very first time you need to import signing public key. It is +provided below, but it is better to check alternative resources with it. -@verbatiminclude pubkey.txt +@verbatim +pub rsa2048/0xF2F59045FFE2F4A1 2015-03-10 + D269 9B73 3C41 2068 D8DA 656E F2F5 9045 FFE2 F4A1 +uid GoVPN releases +@end verbatim + +@itemize + +@item This website @ref{Contacts, alternates} and maillist containing +public key fingerprint. + +@item +@verbatim +% gpg --keyserver hkp://keys.gnupg.net/ --recv-keys 0xF2F59045FFE2F4A1 +% gpg --auto-key-locate dane --locate-keys releases at govpn dot info +% gpg --auto-key-locate wkd --locate-keys releases at govpn dot info +% gpg --auto-key-locate pka --locate-keys releases at govpn dot info +@end verbatim + +@item +@verbatiminclude .well-known/openpgpkey/hu/i4cdqgcarfjdjnba6y4jnf498asg8c6p.asc + +@end itemize + +Then you could verify tarballs signature: +@verbatim +% gpg --verify govpn-2.3.tar.xz.sig govpn-2.3.tar.xz +@end verbatim