diff options
author | Wolfgang Müller | 2021-05-06 20:12:48 +0200 |
---|---|---|
committer | Wolfgang Müller | 2021-05-06 20:12:48 +0200 |
commit | 751da2c0ec0c0a44ed205dd906d82ab34975eb30 (patch) | |
tree | 0d5bb4d4254899a22eec81497f9c7fb03a98614b /posts | |
parent | 5f15cda8d8a018239860062e458b3ef1b9c05817 (diff) | |
download | site-751da2c0ec0c0a44ed205dd906d82ab34975eb30.tar.gz |
posts: Update posts to reflect usage of cgit's signature mechanism
cgit can host detached signatures using git-notes(1). Since we want to
make use of that going forward and have finally gotten around to setting
it up fully, we need to make some small changes to
verify-with-signify.md and the weltschmerz project page.
Specifically, we no longer host both the signature and the checksum
(since this would be too cumbersome to maintain with cgit), rendering
the choice explained in the post moot. Since the detached signature has
always contained the checksum, however, we can just fall back to a
slightly different invocation for verifying it.
Diffstat (limited to 'posts')
-rw-r--r-- | posts/verify-with-signify.md | 10 | ||||
-rw-r--r-- | posts/weltschmerz.md | 7 |
2 files changed, 8 insertions, 9 deletions
diff --git a/posts/verify-with-signify.md b/posts/verify-with-signify.md index 37dbb34..039ac8c 100644 --- a/posts/verify-with-signify.md +++ b/posts/verify-with-signify.md @@ -13,9 +13,9 @@ _signature_. A portable version of the tool is available ### Obtaining the signature and checksum -If you decide to use `signify` to verify downloaded files, you need to obtain -the detached signature linked on the respective project page and the public -release key (see below). Otherwise, you only need to fetch the checksum. +Whether or not you decide to use `signify` to verify downloaded files, you need +to obtain the detached signature linked on the respective project page. It +contains the signature as well as the checksum. ### Obtaining the public key @@ -38,7 +38,7 @@ verifications. Once you have downloaded my public key, run the following to verify your download: - $ signify -C -p release.pub -x <snapshot>.SHA256.sig + $ signify -C -p release.pub -x <snapshot>.asc Signature Verified <snapshot>: OK @@ -47,5 +47,5 @@ download: Alternatively, if you don't want to install `signify`, you can use the `sha256sum` tool to only verify the integrity of the download: - $ sha256sum -c <snapshot>.SHA256 + $ tail -n1 <snapshot>.asc | sha256sum -c <snapshot>: OK diff --git a/posts/weltschmerz.md b/posts/weltschmerz.md index fd0f21c..1824789 100644 --- a/posts/weltschmerz.md +++ b/posts/weltschmerz.md @@ -17,11 +17,10 @@ terminal emulator for daily use. ## Download -- [weltschmerz-1.3.0.tar.gz](/snapshots/weltschmerz/weltschmerz-1.3.0.tar.gz) - ([signature](/snapshots/weltschmerz/weltschmerz-1.3.0.tar.gz.SHA256.sig), - [checksum](/snapshots/weltschmerz/weltschmerz-1.3.0.tar.gz.SHA256), +- [weltschmerz-1.3.0.tar.gz](https://git.oriole.systems/weltschmerz/snapshot/weltschmerz-1.3.0.tar.gz) + ([signature](https://git.oriole.systems/weltschmerz/snapshot/weltschmerz-1.3.0.tar.gz.asc), [verify?](verify-with-signify), - [archive](/snapshots/weltschmerz/)) + [archive](https://git.oriole.systems/weltschmerz/refs)) - [Git repository](https://git.oriole.systems/weltschmerz) ## Requirements |