summaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--posts/verify-with-signify.md8
1 files changed, 5 insertions, 3 deletions
diff --git a/posts/verify-with-signify.md b/posts/verify-with-signify.md
index d2061e2..85da646 100644
--- a/posts/verify-with-signify.md
+++ b/posts/verify-with-signify.md
@@ -4,7 +4,7 @@ author: Wynn Wolf Arbor
I use the [signify](https://flak.tedunangst.com/post/signify) tool to
cryptographically sign all software downloads you will find on this
-site.
+site and on [git.oriole.systems](https://git.oriole.systems).
Whilst you technically don't need `signify` to verify the _integrity_ of
downloaded files, I strongly recommend using it to also verify the
@@ -20,8 +20,8 @@ browser or a tool like `curl` or `wget` to obtain the tarballs.
### Obtaining the signature and checksum
Whether or not you decide to use `signify` to verify downloaded files, you need
-to obtain the detached signature linked on the respective project page. It
-contains the signature as well as the checksum.
+to obtain the detached signature linked on the respective project page or git
+repository[^1]. It contains the signature as well as the checksum.
### Obtaining the public key
@@ -55,3 +55,5 @@ the `sha256sum` tool to only verify the integrity of the download:
$ tail -n1 <snapshot>.asc | sha256sum -c
<snapshot>: OK
+
+[^1]: If you are interested in how this is put together, check out [this](signify-cgit) post.