summaryrefslogtreecommitdiffstatshomepage
path: root/posts
diff options
context:
space:
mode:
authorWolfgang Müller2021-05-06 20:12:48 +0200
committerWolfgang Müller2021-05-06 20:12:48 +0200
commit751da2c0ec0c0a44ed205dd906d82ab34975eb30 (patch)
tree0d5bb4d4254899a22eec81497f9c7fb03a98614b /posts
parent5f15cda8d8a018239860062e458b3ef1b9c05817 (diff)
downloadsite-751da2c0ec0c0a44ed205dd906d82ab34975eb30.tar.gz
posts: Update posts to reflect usage of cgit's signature mechanism
cgit can host detached signatures using git-notes(1). Since we want to make use of that going forward and have finally gotten around to setting it up fully, we need to make some small changes to verify-with-signify.md and the weltschmerz project page. Specifically, we no longer host both the signature and the checksum (since this would be too cumbersome to maintain with cgit), rendering the choice explained in the post moot. Since the detached signature has always contained the checksum, however, we can just fall back to a slightly different invocation for verifying it.
Diffstat (limited to 'posts')
-rw-r--r--posts/verify-with-signify.md10
-rw-r--r--posts/weltschmerz.md7
2 files changed, 8 insertions, 9 deletions
diff --git a/posts/verify-with-signify.md b/posts/verify-with-signify.md
index 37dbb34..039ac8c 100644
--- a/posts/verify-with-signify.md
+++ b/posts/verify-with-signify.md
@@ -13,9 +13,9 @@ _signature_. A portable version of the tool is available
### Obtaining the signature and checksum
-If you decide to use `signify` to verify downloaded files, you need to obtain
-the detached signature linked on the respective project page and the public
-release key (see below). Otherwise, you only need to fetch the checksum.
+Whether or not you decide to use `signify` to verify downloaded files, you need
+to obtain the detached signature linked on the respective project page. It
+contains the signature as well as the checksum.
### Obtaining the public key
@@ -38,7 +38,7 @@ verifications.
Once you have downloaded my public key, run the following to verify your
download:
- $ signify -C -p release.pub -x <snapshot>.SHA256.sig
+ $ signify -C -p release.pub -x <snapshot>.asc
Signature Verified
<snapshot>: OK
@@ -47,5 +47,5 @@ download:
Alternatively, if you don't want to install `signify`, you can use
the `sha256sum` tool to only verify the integrity of the download:
- $ sha256sum -c <snapshot>.SHA256
+ $ tail -n1 <snapshot>.asc | sha256sum -c
<snapshot>: OK
diff --git a/posts/weltschmerz.md b/posts/weltschmerz.md
index fd0f21c..1824789 100644
--- a/posts/weltschmerz.md
+++ b/posts/weltschmerz.md
@@ -17,11 +17,10 @@ terminal emulator for daily use.
## Download
-- [weltschmerz-1.3.0.tar.gz](/snapshots/weltschmerz/weltschmerz-1.3.0.tar.gz)
- ([signature](/snapshots/weltschmerz/weltschmerz-1.3.0.tar.gz.SHA256.sig),
- [checksum](/snapshots/weltschmerz/weltschmerz-1.3.0.tar.gz.SHA256),
+- [weltschmerz-1.3.0.tar.gz](https://git.oriole.systems/weltschmerz/snapshot/weltschmerz-1.3.0.tar.gz)
+ ([signature](https://git.oriole.systems/weltschmerz/snapshot/weltschmerz-1.3.0.tar.gz.asc),
[verify?](verify-with-signify),
- [archive](/snapshots/weltschmerz/))
+ [archive](https://git.oriole.systems/weltschmerz/refs))
- [Git repository](https://git.oriole.systems/weltschmerz)
## Requirements