From 4fe23d93c4f39b08f5bc4320af37ba109e618295 Mon Sep 17 00:00:00 2001 From: Wolfgang Müller Date: Sun, 21 Jul 2019 21:09:36 +0200 Subject: Initial import --- posts/verify-with-signify.md | 51 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 posts/verify-with-signify.md (limited to 'posts/verify-with-signify.md') diff --git a/posts/verify-with-signify.md b/posts/verify-with-signify.md new file mode 100644 index 0000000..8853554 --- /dev/null +++ b/posts/verify-with-signify.md @@ -0,0 +1,51 @@ +title: Verifying snapshots with signify +date: 2019-01-01 +author: Wolfgang Müller + +I use the [signify](https://flak.tedunangst.com/post/signify) tool to +cryptographically sign all software downloads you will find on this +site. + +Whilst you technically don't need `signify` to verify the _integrity_ of +downloaded files, I strongly recommend using it to also verify the +_signature_. A portable version of the tool is available +[here](https://github.com/aperezdc/signify). + +### Obtaining the signature and checksum + +If you decide to use `signify` to verify downloaded files, you need to obtain +the detached signature linked on the respective project page and the public +release key (see below). Otherwise, you only need to fetch the checksum. + +### Obtaining the public key + +To fully verify a download with `signify`, first obtain [my public +key](/release.pub). I keep a copy of the same key on DNS, feel free to +verify it therewith: + + $ drill TXT releasekey.oriole.systems + +Another copy of the key exists on the freenode IRC servers, in my +taxonomy data: + + /msg NickServ taxonomy vehk + +You may want to keep the public key saved on your system for future +verifications. + +### Verification with signify + +Once you have downloaded my public key, run the following to verify your +download: + + $ signify -C -p release.pub -x .SHA256.sig + Signature Verified + : OK + +### Verification with sha256sum + +Alternatively, if you don't want to install `signify`, you can use +the `sha256sum` tool to only verify the integrity of the download: + + $ sha256sum -c .SHA256 + : OK -- cgit v1.2.3-2-gb3c3