X-Git-Url: http://www.git.cypherpunks.ru/?a=blobdiff_plain;f=doc%2Fintegrity.texi;h=5fda02f4ee259939ae6b7bc8f75aba38bc548546;hb=346f641667bec0ff10a8c1c6986bdd82b2286704;hp=01badc5e008af03bf8eb4c866aeb73f2d5e4cd15;hpb=facdacb23b4544ac07ad5fc153c82bfed505fee2;p=govpn.git diff --git a/doc/integrity.texi b/doc/integrity.texi index 01badc5..5fda02f 100644 --- a/doc/integrity.texi +++ b/doc/integrity.texi @@ -1,15 +1,40 @@ -@node Tarballs integrity check +@node Integrity @section Tarballs integrity check -You @strong{have to} verify downloaded archives integrity and check +You @strong{have to} check downloaded archives integrity and verify their signature to be sure that you have got trusted, untampered software. For integrity and authentication of downloaded binaries @url{https://www.gnupg.org/, The GNU Privacy Guard} is used. You must -download signature provided with the tarball. +download signature (@file{.sig}) provided with the tarball. -For the very first time you need to import signing public keys. They -are provided below, but be sure that you are reading them from the -trusted source. Alternatively check this page from -@ref{Contacts, other sources} and look for the mailing list announcements. +For the very first time you need to import signing public key. It is +provided below, but it is better to check alternative resources with it. -@include pubkey.texi +@verbatim +pub rsa2048/0xF2F59045FFE2F4A1 2015-03-10 + D269 9B73 3C41 2068 D8DA 656E F2F5 9045 FFE2 F4A1 +uid GoVPN releases +@end verbatim + +@itemize + +@item This website @ref{Contacts, alternates} and maillist containing +public key fingerprint. + +@item +@verbatim +% gpg --keyserver hkp://keys.gnupg.net/ --recv-keys 0xF2F59045FFE2F4A1 +% gpg --auto-key-locate dane --locate-keys releases at govpn dot info +% gpg --auto-key-locate wkd --locate-keys releases at govpn dot info +% gpg --auto-key-locate pka --locate-keys releases at govpn dot info +@end verbatim + +@item +@verbatiminclude .well-known/openpgpkey/hu/i4cdqgcarfjdjnba6y4jnf498asg8c6p.asc + +@end itemize + +Then you could verify tarballs signature: +@verbatim +% gpg --verify govpn-2.3.tar.xz.sig govpn-2.3.tar.xz +@end verbatim