Add bindings PGP public key and documentation on how to verify signat…

…ures
bitcoindevkit · Sep 26, 2022 · 8e7062c · 8e7062c
1 parent 8f72685
commit 8e7062c
Showing 1 changed file with 26 additions and 19 deletions.
diff --git a/README.md b/README.md
@@ -116,34 +116,41 @@ and use the `publishToMavenLocal` task without excluding the signing task:
 ```
 
 ## Verifying Signatures
-Both libraries and all their corresponding artifacts are signed with a PGP key you can find in the root of this repository. To verify the hashes and signatures, go through the following steps:
-
-1. Import the PGP key in your keyring
-2. Download the artifact and its corresponding hash and signature files ([bdk-jvm] and [bdk-android])
-3. Verify the hashes
-4. Verify the signature
+Both libraries and all their corresponding artifacts are signed with a PGP key you can find in the
+root of this repository. To verify the signatures follow the below steps:
 
+1. Import the PGP key in your keyring.
 ```shell
-# 1. Navigate to the root of the repository and import the ./PGP-BDK-BINDINGS.asc public key
+# Navigate to the root of the repository and import the ./PGP-BDK-BINDINGS.asc public key
 gpg --import ./PGP-BDK-BINDINGS.asc
-# Alternatively, you can import it directly from a public key server
+
+# Alternatively, you can import the key directly from a public key server
 gpg --keyserver keyserver.ubuntu.com --receive-key 2768C43E8803C6A3
+
 # Verify that the correct key was imported
 gpg --list-keys
-# ------------------------------
-# pub   ed25519 2022-08-31 [SC]
-#       88AD93AC4589FD090FF3B8D12768C43E8803C6A3
-# uid           [ unknown] bitcoindevkit-bindings <bindings@bitcoindevkit.org>
-# sub   cv25519 2022-08-31 [E]
+# You should see the below output
+pub   ed25519 2022-08-31 [SC]
+    88AD93AC4589FD090FF3B8D12768C43E8803C6A3
+uid           [ unknown] bitcoindevkit-bindings <bindings@bitcoindevkit.org>
+sub   cv25519 2022-08-31 [E]
+```
 
-# 2. Add files and their corresponding signature and hash files in the same directory
-# e.g. bdk-jvm-0.9.0.jar, bdk-jvm-0.9.0.jar.asc, bdk-jvm-0.9.0.jar.sha256
+2. Download the binary artifacts and corresponding signature files.
+- from [bdk-jvm]
+   - `bdk-jvm-<version>.jar`
+   - `bdk-jvm-<version>.jar.asc`
+- from [bdk-android]
+   - `bdk-android-<version>.aar`
+   - `bdk-android-<version>.aar.asc`
 
-# 3. Verify that the hashes are the same
-shasum --algorithm 256 bdk-android-0.9.0.aar && cat bdk-android-0.9.0.aar.sha256
+3. Verify the signatures.
+```shell
+gpg --verify bdk-jvm-<version>.jar.asc 
+gpg --verify bdk-android-<version>.aar.asc
 
-# 4. Verify the signature
-gpg --verify bdk-android-0.9.0.module.asc
+# you should see a "Good signature" result
+gpg: Good signature from "bitcoindevkit-bindings <bindings@bitcoindevkit.org>" [unknown]
 ```
 
 ### PGP Metadata