@node Integrity
+@cindex integrity check
+@cindex authenticity check
+@cindex OpenPGP
+@cindex gpg
+@cindex GnuPG
+@cindex WKD
@section Tarballs integrity check
You @strong{have to} check downloaded archives integrity and verify
their signature to be sure that you have got trusted, untampered
software. For integrity and authentication of downloaded binaries
@url{https://www.gnupg.org/, GNU Privacy Guard} is used. You must
-download signature (@file{.sig}) provided with the tarball.
+download signature (@file{.asc}) provided with the tarball.
For the very first time you need to import signing public key. It is
provided below, but it is better to check alternative resources with it.
@item
@example
$ gpg --auto-key-locate dane --locate-keys releases at nncpgo dot org
-$ gpg --auto-key-locate wkd --locate-keys releases at nncpgo dot org
+$ gpg --auto-key-locate wkd --locate-keys releases at nncpgo dot org
@end example
@item
-@verbatiminclude .well-known/openpgpkey/hu/i4cdqgcarfjdjnba6y4jnf498asg8c6p.asc
+@verbatiminclude .well-known/openpgpkey/nncpgo.org/hu/i4cdqgcarfjdjnba6y4jnf498asg8c6p.asc
@end itemize
Then you could verify tarballs signature:
@example
-$ gpg --verify nncp-@value{VERSION}.tar.xz.sig nncp-@value{VERSION}.tar.xz
+$ gpg --verify nncp-@value{VERSION}.tar.xz.asc nncp-@value{VERSION}.tar.xz
@end example