2 @section Tarballs integrity check
4 You @strong{have to} check downloaded archives integrity and verify
5 their signature to be sure that you have got trusted, untampered
6 software. For integrity and authentication of downloaded binaries
7 @url{https://www.gnupg.org/, The GNU Privacy Guard} is used. You must
8 download signature (@file{.sig}) provided with the tarball.
10 For the very first time you need to import signing public key. It is
11 provided below, but it is better to check alternative resources with it.
14 pub rsa2048/0x2B25868E75A1A953 2017-01-10
15 92C2 F0AE FE73 208E 46BF F3DE 2B25 868E 75A1 A953
16 uid NNCP releases <releases at nncpgo dot org>
21 @item This website @ref{Contacts, alternates} and maillist containing
22 public key fingerprint.
26 % gpg --keyserver hkp://keys.gnupg.net/ --recv-keys 0x2B25868E75A1A953
27 % gpg --auto-key-locate dane --locate-keys releases at nncpgo dot org
28 % gpg --auto-key-locate wkd --locate-keys releases at nncpgo dot org
29 % gpg --auto-key-locate pka --locate-keys releases at nncpgo dot org
33 @verbatiminclude .well-known/openpgpkey/hu/i4cdqgcarfjdjnba6y4jnf498asg8c6p.asc
37 Then you could verify tarballs signature:
39 % gpg --verify nncp-0.1.tar.xz.sig nncp-0.1.tar.xz