@node Integrity
+@cindex integrity check
+@cindex authenticity check
+@cindex OpenPGP
+@cindex gpg
+@cindex GnuPG
+@cindex WKD
@section Tarballs integrity check
You @strong{have to} check downloaded archives integrity and verify
their signature to be sure that you have got trusted, untampered
software. For integrity and authentication of downloaded binaries
-@url{https://www.gnupg.org/, The GNU Privacy Guard} is used. You must
+@url{https://www.gnupg.org/, GNU Privacy Guard} is used. You must
download signature (@file{.sig}) provided with the tarball.
For the very first time you need to import signing public key. It is
@itemize
@item
-@verbatim
-% gpg --auto-key-locate dane --locate-keys releases at nncpgo dot org
-% gpg --auto-key-locate wkd --locate-keys releases at nncpgo dot org
-@end verbatim
+@example
+$ gpg --auto-key-locate dane --locate-keys releases at nncpgo dot org
+$ gpg --auto-key-locate wkd --locate-keys releases at nncpgo dot org
+@end example
@item
-@verbatiminclude .well-known/openpgpkey/hu/i4cdqgcarfjdjnba6y4jnf498asg8c6p.asc
+@verbatiminclude .well-known/openpgpkey/nncpgo.org/hu/i4cdqgcarfjdjnba6y4jnf498asg8c6p.asc
@end itemize
Then you could verify tarballs signature:
-@verbatim
-% gpg --verify nncp-3.1.tar.xz.sig nncp-3.1.tar.xz
-@end verbatim
+
+@example
+$ gpg --verify nncp-@value{VERSION}.tar.xz.sig nncp-@value{VERSION}.tar.xz
+@end example