diff options
| -rw-r--r-- | posts/verify-with-signify.md | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/posts/verify-with-signify.md b/posts/verify-with-signify.md index d2061e2..85da646 100644 --- a/posts/verify-with-signify.md +++ b/posts/verify-with-signify.md @@ -4,7 +4,7 @@ author: Wynn Wolf Arbor I use the [signify](https://flak.tedunangst.com/post/signify) tool to cryptographically sign all software downloads you will find on this -site. +site and on [git.oriole.systems](https://git.oriole.systems). Whilst you technically don't need `signify` to verify the _integrity_ of downloaded files, I strongly recommend using it to also verify the @@ -20,8 +20,8 @@ browser or a tool like `curl` or `wget` to obtain the tarballs. ### Obtaining the signature and checksum Whether or not you decide to use `signify` to verify downloaded files, you need -to obtain the detached signature linked on the respective project page. It -contains the signature as well as the checksum. +to obtain the detached signature linked on the respective project page or git +repository[^1]. It contains the signature as well as the checksum. ### Obtaining the public key @@ -55,3 +55,5 @@ the `sha256sum` tool to only verify the integrity of the download: $ tail -n1 <snapshot>.asc | sha256sum -c <snapshot>: OK + +[^1]: If you are interested in how this is put together, check out [this](signify-cgit) post. |