blob: 2df68120a5874f239ce109480af7c9c03ed3f3e1 (
plain) (
tree)
|
|
title: Verifying snapshots with signify
date: 2019-01-01
author: Wolfgang Müller
I use the [signify](https://flak.tedunangst.com/post/signify) tool to
cryptographically sign all software downloads you will find on this
site and on [git.oriole.systems](https://git.oriole.systems).
Whilst you technically don't need `signify` to verify the _integrity_ of
downloaded files, I strongly recommend using it to also verify the
_signature_. A portable version of the tool is available
[here](https://github.com/aperezdc/signify).
### Using my personal overlay
If you happen to use Gentoo, feel free to use my [personal
overlay](https://git.oriole.systems/pramantha). You only need to enable the
`verify-sig` USE flag to verify the downloaded tarballs.
### Obtaining the signature and checksum
Whether or not you decide to use `signify` to verify downloaded files, you need
to obtain the detached signature linked on the respective project page or git
repository[^1]. It contains the signature as well as the checksum.
### Obtaining the public key
To fully verify a download with `signify`, first obtain [my public
key](/release.pub). I keep a copy of the same key on DNS, feel free to
verify it therewith:
$ drill TXT releasekey.oriole.systems
Another copy of the key exists on the [Libera Chat](https://libera.chat) IRC
servers, in my taxonomy data:
/msg NickServ taxonomy wolf
You may want to keep the public key saved on your system for future
verifications.
### Verification with signify
Once you have downloaded my public key, run the following to verify your
download:
$ signify -C -p release.pub -x <snapshot>.asc
Signature Verified
<snapshot>: OK
### Verification with sha256sum
Alternatively, if you don't want to install `signify`, you can use
the `sha256sum` tool to only verify the integrity of the download:
$ tail -n1 <snapshot>.asc | sha256sum -c
<snapshot>: OK
### Verification of the corresponding commit
Every tarball hosted here contains its corresponding commit ID in the global
extended pax header[^2]. Therefore, if a tarball is signed, it may be used to verify
a commit and all of its ancestors.
To do so, place the tarball in the cloned git repository first. If you already
have the detached signature, you may verify the tarball normally like shown
above. Otherwise, you can fetch the signatures directly from the repository:
$ git fetch origin refs/notes/signatures/tar.gz:refs/notes/signatures/tar.gz
Now you can verify the tarball like so:
$ git notes --ref=signatures/tar.gz show <version> | signify -Cp release.pub -x -
Signature Verified
<snapshot>: OK
Once verified, you can extract the commit using
[`git-get-tar-commit-id(1)`](https://git-scm.com/docs/git-get-tar-commit-id) and
show it:
$ gzip -d -c <snapshot> | git get-tar-commit-id | xargs git show
[^1]: If you are interested in how this is put together, check out [this](signify-cgit) post.
[^2]: [`git-archive(1)`](https://git-scm.com/docs/git-archive#_description) puts
it there.
|