blob: d2061e2ffa0412b526f6cdae8067f62186f839fc (
plain) (
tree)
|
|
title: Verifying snapshots with signify
date: 2019-01-01
author: Wynn Wolf Arbor
I use the [signify](https://flak.tedunangst.com/post/signify) tool to
cryptographically sign all software downloads you will find on this
site.
Whilst you technically don't need `signify` to verify the _integrity_ of
downloaded files, I strongly recommend using it to also verify the
_signature_. A portable version of the tool is available
[here](https://github.com/aperezdc/signify).
**Note**: Firefox is
[bugged](https://bugzilla.mozilla.org/show_bug.cgi?id=610679) when it comes to
downloading content that is already compressed. Tarballs that were downloaded
with Firefox will **fail** verification. Please make sure to use another
browser or a tool like `curl` or `wget` to obtain the tarballs.
### Obtaining the signature and checksum
Whether or not you decide to use `signify` to verify downloaded files, you need
to obtain the detached signature linked on the respective project page. It
contains the signature as well as the checksum.
### Obtaining the public key
To fully verify a download with `signify`, first obtain [my public
key](/release.pub). I keep a copy of the same key on DNS, feel free to
verify it therewith:
$ drill TXT releasekey.oriole.systems
Another copy of the key exists on the freenode IRC servers, in my
taxonomy data:
/msg NickServ taxonomy wynn
You may want to keep the public key saved on your system for future
verifications.
### Verification with signify
Once you have downloaded my public key, run the following to verify your
download:
$ signify -C -p release.pub -x <snapshot>.asc
Signature Verified
<snapshot>: OK
### Verification with sha256sum
Alternatively, if you don't want to install `signify`, you can use
the `sha256sum` tool to only verify the integrity of the download:
$ tail -n1 <snapshot>.asc | sha256sum -c
<snapshot>: OK
|
