|
2 | 2 |
|
3 | 3 | # Signing key |
4 | 4 |
|
5 | | -Each release of Stack is signed with the GPG key of the person who makes the |
6 | | -release. |
| 5 | +Each released Stack executable is signed with either: |
7 | 6 |
|
8 | | -Authorized keys are themselves signed by the GPG key with ID 0x575159689BEFB442. |
9 | | -That key, and keys it has signed, have been uploaded to the |
| 7 | +* the GPG key with ID 0x575159689BEFB442; or |
| 8 | +* the GPG key of a person that has been authorised by the GPG key with ID |
| 9 | + 0x575159689BEFB442. |
| 10 | + |
| 11 | +The signature is in an `*.asc` file. For example: |
| 12 | + |
| 13 | +~~~ |
| 14 | +stack-2.7.5-linux-x86_64-bin |
| 15 | +stack-2.7.5-linux-x86_64-bin.asc |
| 16 | +~~~ |
| 17 | + |
| 18 | +The signature can be verified with GPG, as follows: |
| 19 | + |
| 20 | +~~~ |
| 21 | +$ # Receive the public key from a keyserver |
| 22 | +$ gpg --keyserver keyserver.ubuntu.com --recv-keys 0x575159689BEFB442 |
| 23 | +$ # Get information about the key |
| 24 | +$ gpg --keyid-format long --list-keys 0x575159689BEFB442 |
| 25 | +pub rsa2048/575159689BEFB442 2015-06-02 [SC] |
| 26 | + C5705533DA4F78D8664B5DC0575159689BEFB442 |
| 27 | +uid [ unknown] FPComplete <[email protected]> |
| 28 | +sub rsa2048/85A738994664AB89 2015-06-02 [E] |
| 29 | +
|
| 30 | +$ # Attempt to verify the file using the signature file. The public key has not |
| 31 | +$ # yet been certified with a trusted signature. |
| 32 | +$ gpg --verify stack-2.7.5-linux-x86_64-bin.asc stack-2.7.5-linux-x86_64-bin |
| 33 | +gpg: Signature made 06/03/2022 15:15:21 GMT Standard Time |
| 34 | +gpg: using RSA key C5705533DA4F78D8664B5DC0575159689BEFB442 |
| 35 | +gpg: Good signature from "FPComplete <[email protected]>" [unknown] |
| 36 | +gpg: WARNING: This key is not certified with a trusted signature! |
| 37 | +gpg: There is no indication that the signature belongs to the owner. |
| 38 | +Primary key fingerprint: C570 5533 DA4F 78D8 664B 5DC0 5751 5968 9BEF B442 |
| 39 | +~~~ |
| 40 | + |
| 41 | +The GPG key with ID 0x575159689BEFB442, and keys it has signed, have been |
| 42 | +uploaded to the |
10 | 43 | [Ubuntu Keyserver](https://keyserver.ubuntu.com/pks/lookup?search=0x575159689BEFB442&fingerprint=on&op=index). |
11 | 44 |
|
12 | 45 | This is the public key block for GPG key ID 0x575159689BEFB442: |
|
0 commit comments