1 You @strong{have to} verify downloaded tarballs authenticity to be sure
2 that you retrieved trusted and untampered software. There are two options:
6 @item @url{https://www.openpgp.org/, OpenPGP} @file{.asc} signature
7 Use @url{https://www.gnupg.org/, GNU Privacy Guard} free software
9 For the very first time it is necessary to get signing public key and
10 import it. It is provided @url{PUBKEY-PGP.asc, here}, but you should
11 check alternate resources.
14 pub rsa2048/0xCD5CD01F55343D88 2019-12-08
15 9B27 640B A784 37EC 6D4A CA6C CD5C D01F 5534 3D88
16 uid GoCheese releases <gocheese@cypherpunks.ru>
20 $ gpg --auto-key-locate dane --locate-keys gocheese at cypherpunks dot ru
21 $ gpg --auto-key-locate wkd --locate-keys gocheese at cypherpunks dot ru
24 @item @url{https://www.openssh.com/, OpenSSH} @file{.sig} signature
25 @url{PUBKEY-SSH.pub, Public key} and its OpenPGP
26 @url{PUBKEY-SSH.pub.asc, signature} made with the key above.
27 Its fingerprint: @code{SHA256:Akj/MCtxCjPphrgWub2BeChqHDhLMABTYLL/MzqTN+s}.
30 $ ssh-keygen -Y verify -f PUBKEY-SSH.pub -I gocheese@@cypherpunks.ru -n file \
31 -s gocheese-@value{VERSION}.tar.zst.sig < gocheese-@value{VERSION}.tar.zst