summaryrefslogtreecommitdiffstatshomepage
path: root/posts
diff options
context:
space:
mode:
authorWolfgang Müller2021-05-16 21:04:13 +0200
committerWolfgang Müller2021-05-16 21:10:56 +0200
commit34012d409fc04a5b86c6f7413c238bc6410631d4 (patch)
treec731c2aaba7181e79524820a124c2bb036cf036a /posts
parent95afc0ba01822234d8572502b728c9c1d1ac4332 (diff)
downloadsite-34012d409fc04a5b86c6f7413c238bc6410631d4.tar.gz
posts: Clarify that signatures can also be obtained via cgit
Commit 751da2c (posts: Update posts to reflect usage of cgit's signature mechanism, 2021-05-06) updated the project pages as well as "Verifying snapshots with signify" with information regarding the new cgit signature mechanism, but neglected to mention that signatures can be obtained directly through git.oriole.systems as well (the project pages merely deeplink to that). Furthermore, with commit 28c2473 (posts: Add a new post: "Hosting signify signatures on cgit", 2021-05-16) we now have an explanatory piece which we can link if people are interested in the underlying infrastructure.
Diffstat (limited to 'posts')
-rw-r--r--posts/verify-with-signify.md8
1 files changed, 5 insertions, 3 deletions
diff --git a/posts/verify-with-signify.md b/posts/verify-with-signify.md
index d2061e2..85da646 100644
--- a/posts/verify-with-signify.md
+++ b/posts/verify-with-signify.md
@@ -4,7 +4,7 @@ author: Wynn Wolf Arbor
I use the [signify](https://flak.tedunangst.com/post/signify) tool to
cryptographically sign all software downloads you will find on this
-site.
+site and on [git.oriole.systems](https://git.oriole.systems).
Whilst you technically don't need `signify` to verify the _integrity_ of
downloaded files, I strongly recommend using it to also verify the
@@ -20,8 +20,8 @@ browser or a tool like `curl` or `wget` to obtain the tarballs.
### Obtaining the signature and checksum
Whether or not you decide to use `signify` to verify downloaded files, you need
-to obtain the detached signature linked on the respective project page. It
-contains the signature as well as the checksum.
+to obtain the detached signature linked on the respective project page or git
+repository[^1]. It contains the signature as well as the checksum.
### Obtaining the public key
@@ -55,3 +55,5 @@ the `sha256sum` tool to only verify the integrity of the download:
$ tail -n1 <snapshot>.asc | sha256sum -c
<snapshot>: OK
+
+[^1]: If you are interested in how this is put together, check out [this](signify-cgit) post.