X-Git-Url: http://www.git.cypherpunks.ru/?a=blobdiff_plain;f=doc%2Fintegrity.texi;h=5fda02f4ee259939ae6b7bc8f75aba38bc548546;hb=346f641667bec0ff10a8c1c6986bdd82b2286704;hp=ccbb5c875da28c9e666790adfce6e2bead579cca;hpb=4c6c6bbbafa14749541538dde68a21b7a23e787a;p=govpn.git diff --git a/doc/integrity.texi b/doc/integrity.texi index ccbb5c8..5fda02f 100644 --- a/doc/integrity.texi +++ b/doc/integrity.texi @@ -1,15 +1,40 @@ @node Integrity @section Tarballs integrity check -You @strong{have to} verify downloaded archives integrity and check +You @strong{have to} check downloaded archives integrity and verify their signature to be sure that you have got trusted, untampered software. For integrity and authentication of downloaded binaries @url{https://www.gnupg.org/, The GNU Privacy Guard} is used. You must -download signature (@code{.sig}) provided with the tarball. +download signature (@file{.sig}) provided with the tarball. -For the very first time you need to import signing public keys. They -are provided below, but be sure that you are reading them from the -trusted source. Alternatively check this page from -@ref{Contacts, other sources} and look for the mailing list announcements. +For the very first time you need to import signing public key. It is +provided below, but it is better to check alternative resources with it. -@verbatiminclude pubkey.txt +@verbatim +pub rsa2048/0xF2F59045FFE2F4A1 2015-03-10 + D269 9B73 3C41 2068 D8DA 656E F2F5 9045 FFE2 F4A1 +uid GoVPN releases +@end verbatim + +@itemize + +@item This website @ref{Contacts, alternates} and maillist containing +public key fingerprint. + +@item +@verbatim +% gpg --keyserver hkp://keys.gnupg.net/ --recv-keys 0xF2F59045FFE2F4A1 +% gpg --auto-key-locate dane --locate-keys releases at govpn dot info +% gpg --auto-key-locate wkd --locate-keys releases at govpn dot info +% gpg --auto-key-locate pka --locate-keys releases at govpn dot info +@end verbatim + +@item +@verbatiminclude .well-known/openpgpkey/hu/i4cdqgcarfjdjnba6y4jnf498asg8c6p.asc + +@end itemize + +Then you could verify tarballs signature: +@verbatim +% gpg --verify govpn-2.3.tar.xz.sig govpn-2.3.tar.xz +@end verbatim