X-Git-Url: http://www.git.cypherpunks.ru/?a=blobdiff_plain;f=doc%2Fintegrity.texi;h=f09b5e8ad4c516efb7635b1b5ce6dc8f7b9c6e2f;hb=ade6054289e93233cf8cb9cb919d28d0220a0137;hp=2c2ccb5803383faaa80fdd261914db559875338d;hpb=8f43a18b96b1fb5678d5e1e9ca13f99b734694ef;p=nncp.git diff --git a/doc/integrity.texi b/doc/integrity.texi index 2c2ccb5..f09b5e8 100644 --- a/doc/integrity.texi +++ b/doc/integrity.texi @@ -1,14 +1,24 @@ @node Integrity +@cindex integrity check +@cindex authenticity check +@cindex OpenPGP +@cindex gpg +@cindex GnuPG +@cindex WKD +@cindex OpenSSH @section Tarballs integrity check -You @strong{have to} check downloaded archives integrity and verify -their signature to be sure that you have got trusted, untampered -software. For integrity and authentication of downloaded binaries -@url{https://www.gnupg.org/, The GNU Privacy Guard} is used. You must -download signature (@file{.sig}) provided with the tarball. +You @strong{have to} verify downloaded tarballs authenticity to be sure +that you retrieved trusted and untampered software. There are two options: -For the very first time you need to import signing public key. It is -provided below, but it is better to check alternative resources with it. +@table @asis + +@item @url{https://www.openpgp.org/, OpenPGP} @file{.asc} signature + Use @url{https://www.gnupg.org/, GNU Privacy Guard} free software + implementation. + For the very first time it is necessary to get signing public key and + import it. It is provided @url{.well-known/openpgpkey/nncpgo.org/hu/i4cdqgcarfjdjnba6y4jnf498asg8c6p.asc, here}, but you should + check alternate resources. @verbatim pub rsa2048/0x2B25868E75A1A953 2017-01-10 @@ -16,20 +26,19 @@ pub rsa2048/0x2B25868E75A1A953 2017-01-10 uid NNCP releases @end verbatim -@itemize - -@item -@verbatim +@example $ gpg --auto-key-locate dane --locate-keys releases at nncpgo dot org -$ gpg --auto-key-locate wkd --locate-keys releases at nncpgo dot org -@end verbatim +$ gpg --auto-key-locate wkd --locate-keys releases at nncpgo dot org +@end example -@item -@verbatiminclude .well-known/openpgpkey/hu/i4cdqgcarfjdjnba6y4jnf498asg8c6p.asc +@item @url{https://www.openssh.com/, OpenSSH} @file{.sig} signature + @url{PUBKEY-SSH.pub, Public key} and its OpenPGP + @url{PUBKEY-SSH.pub.asc, signature} made with the key above. + Its fingerprint: @code{SHA256:FRiWawVNBkyS3jFn8uZ/JlT+PWKSFbhWe5XSixp1+SY}. -@end itemize +@example +$ ssh-keygen -Y verify -f PUBKEY-SSH.pub -I releases@@nncpgo.org -n file \ + -s nncp-@value{VERSION}.tar.zst.sig < nncp-@value{VERSION}.tar.zst +@end example -Then you could verify tarballs signature: -@verbatim -$ gpg --verify nncp-5.1.1.tar.xz.sig nncp-5.1.1.tar.xz -@end verbatim +@end table