From 8e7062cc49810349c52a35b8842cb1c59308d81a Mon Sep 17 00:00:00 2001 From: thunderbiscuit Date: Mon, 26 Sep 2022 09:01:05 -0400 Subject: [PATCH] Add bindings PGP public key and documentation on how to verify signatures --- README.md | 45 ++++++++++++++++++++++++++------------------- 1 file changed, 26 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index de2d928..297d48f 100644 --- a/README.md +++ b/README.md @@ -116,34 +116,41 @@ and use the `publishToMavenLocal` task without excluding the signing task: ``` ## Verifying Signatures -Both libraries and all their corresponding artifacts are signed with a PGP key you can find in the root of this repository. To verify the hashes and signatures, go through the following steps: - -1. Import the PGP key in your keyring -2. Download the artifact and its corresponding hash and signature files ([bdk-jvm] and [bdk-android]) -3. Verify the hashes -4. Verify the signature +Both libraries and all their corresponding artifacts are signed with a PGP key you can find in the +root of this repository. To verify the signatures follow the below steps: +1. Import the PGP key in your keyring. ```shell -# 1. Navigate to the root of the repository and import the ./PGP-BDK-BINDINGS.asc public key +# Navigate to the root of the repository and import the ./PGP-BDK-BINDINGS.asc public key gpg --import ./PGP-BDK-BINDINGS.asc -# Alternatively, you can import it directly from a public key server + +# Alternatively, you can import the key directly from a public key server gpg --keyserver keyserver.ubuntu.com --receive-key 2768C43E8803C6A3 + # Verify that the correct key was imported gpg --list-keys -# ------------------------------ -# pub ed25519 2022-08-31 [SC] -# 88AD93AC4589FD090FF3B8D12768C43E8803C6A3 -# uid [ unknown] bitcoindevkit-bindings -# sub cv25519 2022-08-31 [E] +# You should see the below output +pub ed25519 2022-08-31 [SC] + 88AD93AC4589FD090FF3B8D12768C43E8803C6A3 +uid [ unknown] bitcoindevkit-bindings +sub cv25519 2022-08-31 [E] +``` -# 2. Add files and their corresponding signature and hash files in the same directory -# e.g. bdk-jvm-0.9.0.jar, bdk-jvm-0.9.0.jar.asc, bdk-jvm-0.9.0.jar.sha256 +2. Download the binary artifacts and corresponding signature files. +- from [bdk-jvm] + - `bdk-jvm-.jar` + - `bdk-jvm-.jar.asc` +- from [bdk-android] + - `bdk-android-.aar` + - `bdk-android-.aar.asc` -# 3. Verify that the hashes are the same -shasum --algorithm 256 bdk-android-0.9.0.aar && cat bdk-android-0.9.0.aar.sha256 +3. Verify the signatures. +```shell +gpg --verify bdk-jvm-.jar.asc +gpg --verify bdk-android-.aar.asc -# 4. Verify the signature -gpg --verify bdk-android-0.9.0.module.asc +# you should see a "Good signature" result +gpg: Good signature from "bitcoindevkit-bindings " [unknown] ``` ### PGP Metadata