title: Verifying snapshots with signify date: 2019-01-01 author: Wynn Wolf Arbor I use the [signify](https://flak.tedunangst.com/post/signify) tool to cryptographically sign all software downloads you will find on this site and on [git.oriole.systems](https://git.oriole.systems). Whilst you technically don't need `signify` to verify the _integrity_ of downloaded files, I strongly recommend using it to also verify the _signature_. A portable version of the tool is available [here](https://github.com/aperezdc/signify). **Note**: Firefox is [bugged](https://bugzilla.mozilla.org/show_bug.cgi?id=610679) when it comes to downloading content that is already compressed. Tarballs that were downloaded with Firefox will **fail** verification. Please make sure to use another browser or a tool like `curl` or `wget` to obtain the tarballs. ### Obtaining the signature and checksum Whether or not you decide to use `signify` to verify downloaded files, you need to obtain the detached signature linked on the respective project page or git repository[^1]. It contains the signature as well as the checksum. ### Obtaining the public key To fully verify a download with `signify`, first obtain [my public key](/release.pub). I keep a copy of the same key on DNS, feel free to verify it therewith: $ drill TXT releasekey.oriole.systems Another copy of the key exists on the [Libera.Chat](https://libera.chat) IRC servers, in my taxonomy data: /msg NickServ taxonomy wynn You may want to keep the public key saved on your system for future verifications. ### Verification with signify Once you have downloaded my public key, run the following to verify your download: $ signify -C -p release.pub -x .asc Signature Verified : OK ### Verification with sha256sum Alternatively, if you don't want to install `signify`, you can use the `sha256sum` tool to only verify the integrity of the download: $ tail -n1 .asc | sha256sum -c : OK ### Verification of the corresponding commit Every tarball hosted here contains its corresponding commit ID in the global extended pax header[^2]. Therefore, if a tarball is signed, it may be used to verify a commit and all of its ancestors. To do so, place the tarball in the cloned git repository first. If you already have the detached signature, you may verify the tarball normally like shown above. Otherwise, you can fetch the signatures directly from the repository: $ git fetch origin refs/notes/signatures/tar.gz:refs/notes/signatures/tar.gz Now you can verify the tarball like so: $ git notes --ref=signatures/tar.gz show | signify -Cp release.pub -x - Signature Verified : OK Once verified, you can extract the commit using [`git-get-tar-commit-id(1)`](https://git-scm.com/docs/git-get-tar-commit-id) and show it: $ gzip -d -c | git get-tar-commit-id | xargs git show [^1]: If you are interested in how this is put together, check out [this](signify-cgit) post. [^2]: [`git-archive(1)`](https://git-scm.com/docs/git-archive#_description) puts it there.