Skip to content

Verifying Releases

Chris Dunlap edited this page Dec 6, 2016 · 4 revisions

Releases are signed with a GPG key. This key can be imported from the top-level KEYS file:

$ gpg --import KEYS
gpg: key 30DE0871: public key "Chris Dunlap <chris.m.dunlap@gmail.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: no ultimately trusted keys found

Alternatively, this key can be imported from a keyserver:

$ gpg --keyserver hkp://keys.gnupg.net --recv-keys 0x3B7ECB2B30DE0871
gpg: requesting key 30DE0871 from hkp server keys.gnupg.net
gpg: key 30DE0871: public key "Chris Dunlap <chris.m.dunlap@gmail.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

To validate the authenticity of the key, check that it has a matching fingerprint. It should match the key fingerprint listed below:

$ gpg --fingerprint 0x3B7ECB2B30DE0871
pub   4096R/30DE0871 2011-10-01
      Key fingerprint = A441 880C 3D4C 7C36 C5DD  41E1 3B7E CB2B 30DE 0871
uid                  Chris Dunlap <chris.m.dunlap@gmail.com>
uid                  Chris Dunlap <cdunlap@llnl.gov>
uid                  Chris Dunlap <dun@imsa.edu>
sub   4096R/ECA74B8A 2011-10-01

The Git tag for a release is signed with this GPG key. The GitHub release page will display a badge indicating whether this signature could be verified. This signature can also be verified with Git:

$ git tag --verify conman-0.2.8

A release consists of a compressed tarball, a detached GPG signature, and a cryptographic checksum:

conman-0.2.8.tar.xz
conman-0.2.8.tar.xz.asc
conman-0.2.8.tar.xz.sha512

The GPG signature file has the same name as the tarball file followed by the extension ".asc". It allows you to verify both the authenticity and integrity of the tarball. This ensures that the tarball has not been altered by an untrusted entity, and that it has been downloaded and stored correctly without errors:

$ gpg --verify conman-0.2.8.tar.xz.asc conman-0.2.8.tar.xz  
gpg: Signature made Tue Nov 22 14:08:39 2016 PST using RSA key ID 30DE0871
gpg: Good signature from "Chris Dunlap <chris.m.dunlap@gmail.com>"
gpg:                 aka "Chris Dunlap <cdunlap@llnl.gov>"
gpg:                 aka "Chris Dunlap <dun@imsa.edu>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A441 880C 3D4C 7C36 C5DD  41E1 3B7E CB2B 30DE 0871

The checksum file has the same name as the tarball file followed by the extension ".sha512". This contains a checksum generated by the SHA-512 cryptographic hash function. It allows you to verify only the integrity of the tarball. This ensures that the tarball has been downloaded and stored correctly without errors, but does not provide any guarantee of authenticity:

$ sha512sum --check conman-0.2.8.tar.xz.sha512
conman-0.2.8.tar.xz: OK
Clone this wiki locally