@node Integrity
@section Tarballs integrity check

You @strong{have to} check downloaded archives integrity and verify
their signature to be sure that you have got trusted, untampered
software. For integrity and authentication of downloaded binaries
@url{https://www.gnupg.org/, The GNU Privacy Guard} is used. You must
download signature (@file{.sig}) provided with the tarball.

For the very first time you need to import signing public key. It is
provided below, but it is better to check alternative resources with it.

@verbatim
pub   rsa2048/0xF2F59045FFE2F4A1 2015-03-10
      D269 9B73 3C41 2068 D8DA  656E F2F5 9045 FFE2 F4A1
uid   GoVPN releases <releases at govpn dot info>
@end verbatim

@itemize

@item This website @ref{Contacts, alternates} and maillist containing
public key fingerprint.

@item
@verbatim
% gpg --keyserver hkp://keys.gnupg.net/ --recv-keys 0xF2F59045FFE2F4A1
% gpg --auto-key-locate dane --locate-keys releases at govpn dot info
% gpg --auto-key-locate wkd --locate-keys releases at govpn dot info
% gpg --auto-key-locate pka --locate-keys releases at govpn dot info
@end verbatim

@item
@verbatiminclude .well-known/openpgpkey/hu/i4cdqgcarfjdjnba6y4jnf498asg8c6p.asc

@end itemize

Then you could verify tarballs signature:
@verbatim
% gpg --verify govpn-2.3.tar.xz.sig govpn-2.3.tar.xz
@end verbatim