2 @section Tarballs integrity check
4 You @strong{have to} verify downloaded archives integrity and check
5 their signature to be sure that you have got trusted, untampered
6 software. For integrity and authentication of downloaded binaries
7 @url{https://www.gnupg.org/, The GNU Privacy Guard} is used. You must
8 download signature (@file{.sig}) provided with the tarball.
10 For the very first time you need to import signing public key. It is
11 provided below, but it is better to check alternative resources with it.
14 pub rsa2048/0xF2F59045FFE2F4A1 2015-03-10
15 D269 9B73 3C41 2068 D8DA 656E F2F5 9045 FFE2 F4A1
16 uid GoVPN releases <releases at govpn dot info>
21 @item This website @ref{Contacts, alternates} and maillist containing
22 public key fingerprint.
26 % gpg --keyserver hkp://keys.gnupg.net/ --recv-keys 0xF2F59045FFE2F4A1
27 % gpg --auto-key-locate dane --locate-keys releases at govpn dot info
28 % gpg --auto-key-locate wkd --locate-keys releases at govpn dot info
29 % gpg --auto-key-locate pka --locate-keys releases at govpn dot info
33 @verbatiminclude .well-known/openpgpkey/hu/i4cdqgcarfjdjnba6y4jnf498asg8c6p.asc
37 Then you could verify tarballs signature:
39 % gpg --verify govpn-2.3.tar.xz.sig govpn-2.3.tar.xz