X-Git-Url: http://www.git.cypherpunks.ru/?a=blobdiff_plain;f=doc%2Fintegrity.texi;h=b9bc1a1e60910a76ae8675f65e5176ca6e5635b5;hb=d7ff911413b29e9ba6afb4b8e86116c4ff46ff17;hp=01badc5e008af03bf8eb4c866aeb73f2d5e4cd15;hpb=e4a24ef2859f8bf6c354e66236a7c279ae02b385;p=govpn.git diff --git a/doc/integrity.texi b/doc/integrity.texi index 01badc5..b9bc1a1 100644 --- a/doc/integrity.texi +++ b/doc/integrity.texi @@ -1,15 +1,40 @@ -@node Tarballs integrity check +@node Integrity @section Tarballs integrity check You @strong{have to} verify downloaded archives integrity and check their signature to be sure that you have got trusted, untampered software. For integrity and authentication of downloaded binaries @url{https://www.gnupg.org/, The GNU Privacy Guard} is used. You must -download signature provided with the tarball. +download signature (@file{.sig}) provided with the tarball. -For the very first time you need to import signing public keys. They -are provided below, but be sure that you are reading them from the -trusted source. Alternatively check this page from -@ref{Contacts, other sources} and look for the mailing list announcements. +For the very first time you need to import signing public key. It is +provided below, but it is better to check alternative resources with it. -@include pubkey.texi +@verbatim +pub rsa2048/0xF2F59045FFE2F4A1 2015-03-10 + D269 9B73 3C41 2068 D8DA 656E F2F5 9045 FFE2 F4A1 +uid GoVPN releases +@end verbatim + +@itemize + +@item This website @ref{Contacts, alternates} and maillist containing +public key fingerprint. + +@item +@verbatim +% gpg --keyserver hkp://keys.gnupg.net/ --recv-keys 0xF2F59045FFE2F4A1 +% gpg --auto-key-locate dane --locate-keys releases at govpn dot info +% gpg --auto-key-locate wkd --locate-keys releases at govpn dot info +% gpg --auto-key-locate pka --locate-keys releases at govpn dot info +@end verbatim + +@item +@verbatiminclude .well-known/openpgpkey/hu/i4cdqgcarfjdjnba6y4jnf498asg8c6p.asc + +@end itemize + +Then you could verify tarballs signature: +@verbatim +% gpg --verify govpn-2.3.tar.xz.sig govpn-2.3.tar.xz +@end verbatim