@node Integrity
+@cindex integrity check
+@cindex authenticity check
+@cindex OpenPGP
+@cindex gpg
+@cindex GnuPG
+@cindex WKD
@section Tarballs integrity check
You @strong{have to} check downloaded archives integrity and verify
their signature to be sure that you have got trusted, untampered
software. For integrity and authentication of downloaded binaries
-@url{https://www.gnupg.org/, The GNU Privacy Guard} is used. You must
-download signature (@file{.sig}) provided with the tarball.
+@url{https://www.gnupg.org/, GNU Privacy Guard} is used. You must
+download signature (@file{.asc}) provided with the tarball.
For the very first time you need to import signing public key. It is
provided below, but it is better to check alternative resources with it.
@itemize
@item
-@verbatim
+@example
$ gpg --auto-key-locate dane --locate-keys releases at nncpgo dot org
-$ gpg --auto-key-locate wkd --locate-keys releases at nncpgo dot org
-@end verbatim
+$ gpg --auto-key-locate wkd --locate-keys releases at nncpgo dot org
+@end example
@item
-@verbatiminclude .well-known/openpgpkey/hu/i4cdqgcarfjdjnba6y4jnf498asg8c6p.asc
+@verbatiminclude .well-known/openpgpkey/nncpgo.org/hu/i4cdqgcarfjdjnba6y4jnf498asg8c6p.asc
@end itemize
Then you could verify tarballs signature:
-@verbatim
-$ gpg --verify nncp-5.0.0.tar.xz.sig nncp-5.0.0.tar.xz
-@end verbatim
+
+@example
+$ gpg --verify nncp-@value{VERSION}.tar.xz.asc nncp-@value{VERSION}.tar.xz
+@end example