]> Cypherpunks.ru repositories - nncp.git/blobdiff - doc/integrity.texi
projects / nncp.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge branch 'develop'
[nncp.git] / doc / integrity.texi
diff --git a/doc/integrity.texi b/doc/integrity.texi
index 174c27c6c458534a812cfbd44ced148b6d63f49e..f09b5e8ad4c516efb7635b1b5ce6dc8f7b9c6e2f 100644 (file)
--- a/doc/integrity.texi
+++ b/doc/integrity.texi
@@ -1,14 +1,24 @@
 @node Integrity
+@cindex integrity check
+@cindex authenticity check
+@cindex OpenPGP
+@cindex gpg
+@cindex GnuPG
+@cindex WKD
+@cindex OpenSSH
 @section Tarballs integrity check
 
-You @strong{have to} check downloaded archives integrity and verify
-their signature to be sure that you have got trusted, untampered
-software. For integrity and authentication of downloaded binaries
-@url{https://www.gnupg.org/, The GNU Privacy Guard} is used. You must
-download signature (@file{.sig}) provided with the tarball.
+You @strong{have to} verify downloaded tarballs authenticity to be sure
+that you retrieved trusted and untampered software. There are two options:
 
-For the very first time you need to import signing public key. It is
-provided below, but it is better to check alternative resources with it.
+@table @asis
+
+@item @url{https://www.openpgp.org/, OpenPGP} @file{.asc} signature
+    Use @url{https://www.gnupg.org/, GNU Privacy Guard} free software
+    implementation.
+    For the very first time it is necessary to get signing public key and
+    import it. It is provided @url{.well-known/openpgpkey/nncpgo.org/hu/i4cdqgcarfjdjnba6y4jnf498asg8c6p.asc, here}, but you should
+    check alternate resources.
 
 @verbatim
 pub   rsa2048/0x2B25868E75A1A953 2017-01-10
@@ -16,22 +26,19 @@ pub   rsa2048/0x2B25868E75A1A953 2017-01-10
 uid   NNCP releases <releases at nncpgo dot org>
 @end verbatim
 
-@itemize
-
-@item
-@verbatim
-% gpg --keyserver hkp://keys.gnupg.net/ --recv-keys 0x2B25868E75A1A953
-% gpg --auto-key-locate dane --locate-keys releases at nncpgo dot org
-% gpg --auto-key-locate wkd --locate-keys releases at nncpgo dot org
-% gpg --auto-key-locate pka --locate-keys releases at nncpgo dot org
-@end verbatim
+@example
+$ gpg --auto-key-locate dane --locate-keys releases at nncpgo dot org
+$ gpg --auto-key-locate  wkd --locate-keys releases at nncpgo dot org
+@end example
 
-@item
-@verbatiminclude .well-known/openpgpkey/hu/i4cdqgcarfjdjnba6y4jnf498asg8c6p.asc
+@item @url{https://www.openssh.com/, OpenSSH} @file{.sig} signature
+    @url{PUBKEY-SSH.pub, Public key} and its OpenPGP
+    @url{PUBKEY-SSH.pub.asc, signature} made with the key above.
+    Its fingerprint: @code{SHA256:FRiWawVNBkyS3jFn8uZ/JlT+PWKSFbhWe5XSixp1+SY}.
 
-@end itemize
+@example
+$ ssh-keygen -Y verify -f PUBKEY-SSH.pub -I releases@@nncpgo.org -n file \
+    -s nncp-@value{VERSION}.tar.zst.sig < nncp-@value{VERSION}.tar.zst
+@end example
 
-Then you could verify tarballs signature:
-@verbatim
-% gpg --verify nncp-3.0.tar.xz.sig nncp-3.0.tar.xz
-@end verbatim
+@end table
Node to Node copy