From 751da2c0ec0c0a44ed205dd906d82ab34975eb30 Mon Sep 17 00:00:00 2001 From: Wolfgang Müller Date: Thu, 6 May 2021 20:12:48 +0200 Subject: posts: Update posts to reflect usage of cgit's signature mechanism cgit can host detached signatures using git-notes(1). Since we want to make use of that going forward and have finally gotten around to setting it up fully, we need to make some small changes to verify-with-signify.md and the weltschmerz project page. Specifically, we no longer host both the signature and the checksum (since this would be too cumbersome to maintain with cgit), rendering the choice explained in the post moot. Since the detached signature has always contained the checksum, however, we can just fall back to a slightly different invocation for verifying it. --- posts/verify-with-signify.md | 10 +++++----- posts/weltschmerz.md | 7 +++---- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/posts/verify-with-signify.md b/posts/verify-with-signify.md index 37dbb34..039ac8c 100644 --- a/posts/verify-with-signify.md +++ b/posts/verify-with-signify.md @@ -13,9 +13,9 @@ _signature_. A portable version of the tool is available ### Obtaining the signature and checksum -If you decide to use `signify` to verify downloaded files, you need to obtain -the detached signature linked on the respective project page and the public -release key (see below). Otherwise, you only need to fetch the checksum. +Whether or not you decide to use `signify` to verify downloaded files, you need +to obtain the detached signature linked on the respective project page. It +contains the signature as well as the checksum. ### Obtaining the public key @@ -38,7 +38,7 @@ verifications. Once you have downloaded my public key, run the following to verify your download: - $ signify -C -p release.pub -x .SHA256.sig + $ signify -C -p release.pub -x .asc Signature Verified : OK @@ -47,5 +47,5 @@ download: Alternatively, if you don't want to install `signify`, you can use the `sha256sum` tool to only verify the integrity of the download: - $ sha256sum -c .SHA256 + $ tail -n1 .asc | sha256sum -c : OK diff --git a/posts/weltschmerz.md b/posts/weltschmerz.md index fd0f21c..1824789 100644 --- a/posts/weltschmerz.md +++ b/posts/weltschmerz.md @@ -17,11 +17,10 @@ terminal emulator for daily use. ## Download -- [weltschmerz-1.3.0.tar.gz](/snapshots/weltschmerz/weltschmerz-1.3.0.tar.gz) - ([signature](/snapshots/weltschmerz/weltschmerz-1.3.0.tar.gz.SHA256.sig), - [checksum](/snapshots/weltschmerz/weltschmerz-1.3.0.tar.gz.SHA256), +- [weltschmerz-1.3.0.tar.gz](https://git.oriole.systems/weltschmerz/snapshot/weltschmerz-1.3.0.tar.gz) + ([signature](https://git.oriole.systems/weltschmerz/snapshot/weltschmerz-1.3.0.tar.gz.asc), [verify?](verify-with-signify), - [archive](/snapshots/weltschmerz/)) + [archive](https://git.oriole.systems/weltschmerz/refs)) - [Git repository](https://git.oriole.systems/weltschmerz) ## Requirements -- cgit v1.2.3-2-gb3c3