Initial import

1 files changed, 51 insertions, 0 deletions

diff --git a/posts/verify-with-signify.md b/posts/verify-with-signify.md
new file mode 100644
index 0000000..8853554
--- /dev/null
+++ b/posts/verify-with-signify.md
@@ -0,0 +1,51 @@
+title: Verifying snapshots with signify
+date: 2019-01-01
+author: Wolfgang Müller
+
+I use the [signify](https://flak.tedunangst.com/post/signify) tool to
+cryptographically sign all software downloads you will find on this
+site.
+
+Whilst you technically don't need `signify` to verify the _integrity_ of
+downloaded files, I strongly recommend using it to also verify the
+_signature_.  A portable version of the tool is available
+[here](https://github.com/aperezdc/signify).
+
+### Obtaining the signature and checksum
+
+If you decide to use `signify` to verify downloaded files, you need to obtain
+the detached signature linked on the respective project page and the public
+release key (see below). Otherwise, you only need to fetch the checksum.
+
+### Obtaining the public key
+
+To fully verify a download with `signify`, first obtain [my public
+key](/release.pub).  I keep a copy of the same key on DNS, feel free to
+verify it therewith:
+
+	$ drill TXT releasekey.oriole.systems
+
+Another copy of the key exists on the freenode IRC servers, in my
+taxonomy data:
+
+	/msg NickServ taxonomy vehk
+
+You may want to keep the public key saved on your system for future
+verifications.
+
+### Verification with signify
+
+Once you have downloaded my public key, run the following to verify your
+download:
+
+	$ signify -C -p release.pub -x <snapshot>.SHA256.sig
+	Signature Verified
+	<snapshot>: OK
+
+### Verification with sha256sum
+
+Alternatively, if you don't want to install `signify`, you can use
+the `sha256sum` tool to only verify the integrity of the download:
+
+	$ sha256sum -c <snapshot>.SHA256
+	<snapshot>: OK