summaryrefslogblamecommitdiffstatshomepage
path: root/posts/verify-with-signify.md
blob: 5103cccee64339df027ce34b50e8dd8f7241aa8d (plain) (tree) 
4fe23d9


1ed1add

4fe23d9



34012d4

4fe23d9






3297e6f






4fe23d9


751da2c

34012d4


4fe23d9









7d3a8b4


4fe23d9

416fc9f

4fe23d9









751da2c

4fe23d9








751da2c

4fe23d9

34012d4


1
2

3

4
5
6

7

8
9
10
11
12
13

14
15
16
17
18
19

20
21

22

23
24

25
26
27
28
29
30
31
32
33

34
35

36

37

38
39
40
41
42
43
44
45
46

47

48
49
50
51
52
53
54
55

56

57

58
59


                                       
                       


                                                                     
                                                             





                                                                        





                                                                              

                                        
                                                                               

                                                                             








                                                                       

                                                                            
 
                                   








                                                                        
                                                     







                                                                  
                                                
                      

                                                                                             
title: Verifying snapshots with signify
date: 2019-01-01
author: Wynn Wolf Arbor

I use the [signify](https://flak.tedunangst.com/post/signify) tool to
cryptographically sign all software downloads you will find on this
site and on [git.oriole.systems](https://git.oriole.systems).

Whilst you technically don't need `signify` to verify the _integrity_ of
downloaded files, I strongly recommend using it to also verify the
_signature_.  A portable version of the tool is available
[here](https://github.com/aperezdc/signify).

**Note**: Firefox is
[bugged](https://bugzilla.mozilla.org/show_bug.cgi?id=610679) when it comes to
downloading content that is already compressed. Tarballs that were downloaded
with Firefox will **fail** verification. Please make sure to use another
browser or a tool like `curl` or `wget` to obtain the tarballs.

### Obtaining the signature and checksum

Whether or not you decide to use `signify` to verify downloaded files, you need
to obtain the detached signature linked on the respective project page or git
repository[^1]. It contains the signature as well as the checksum.

### Obtaining the public key

To fully verify a download with `signify`, first obtain [my public
key](/release.pub).  I keep a copy of the same key on DNS, feel free to
verify it therewith:

	$ drill TXT releasekey.oriole.systems

Another copy of the key exists on the [Libera.Chat](https://libera.chat) IRC
servers, in my taxonomy data:

	/msg NickServ taxonomy wynn

You may want to keep the public key saved on your system for future
verifications.

### Verification with signify

Once you have downloaded my public key, run the following to verify your
download:

	$ signify -C -p release.pub -x <snapshot>.asc
	Signature Verified
	<snapshot>: OK

### Verification with sha256sum

Alternatively, if you don't want to install `signify`, you can use
the `sha256sum` tool to only verify the integrity of the download:

	$ tail -n1 <snapshot>.asc | sha256sum -c
	<snapshot>: OK

[^1]: If you are interested in how this is put together, check out [this](signify-cgit) post.
powered by cgit and git | oriole.systems | how to verify signatures