summaryrefslogtreecommitdiffstatshomepage
path: root/posts/verify-with-signify.md
blob: 885355404513ec833ddb6690633593246ad256c6 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
title: Verifying snapshots with signify
date: 2019-01-01
author: Wolfgang Müller

I use the [signify](https://flak.tedunangst.com/post/signify) tool to
cryptographically sign all software downloads you will find on this
site.

Whilst you technically don't need `signify` to verify the _integrity_ of
downloaded files, I strongly recommend using it to also verify the
_signature_.  A portable version of the tool is available
[here](https://github.com/aperezdc/signify).

### Obtaining the signature and checksum

If you decide to use `signify` to verify downloaded files, you need to obtain
the detached signature linked on the respective project page and the public
release key (see below). Otherwise, you only need to fetch the checksum.

### Obtaining the public key

To fully verify a download with `signify`, first obtain [my public
key](/release.pub).  I keep a copy of the same key on DNS, feel free to
verify it therewith:

	$ drill TXT releasekey.oriole.systems

Another copy of the key exists on the freenode IRC servers, in my
taxonomy data:

	/msg NickServ taxonomy vehk

You may want to keep the public key saved on your system for future
verifications.

### Verification with signify

Once you have downloaded my public key, run the following to verify your
download:

	$ signify -C -p release.pub -x <snapshot>.SHA256.sig
	Signature Verified
	<snapshot>: OK

### Verification with sha256sum

Alternatively, if you don't want to install `signify`, you can use
the `sha256sum` tool to only verify the integrity of the download:

	$ sha256sum -c <snapshot>.SHA256
	<snapshot>: OK