diff options
| author | Jakob Unterwurzacher | 2018-05-02 19:56:57 +0200 |
|---|---|---|
| committer | Jakob Unterwurzacher | 2018-05-02 19:56:57 +0200 |
| commit | 17b346f91276aec7735fe71c86585d3850fb1152 (patch) | |
| tree | 4c2302ebc381c95fc229359afa6aab38de8087d9 | |
| parent | 0764925db41a15e1dc2ec0439321d5ae74dcc0d2 (diff) | |
Update signature verification for gpg2
gpg2 displays a longer key id
https://github.com/rfjakob/gocryptfs-website/issues/6
| -rw-r--r-- | docs/releases.md | 40 |
1 files changed, 27 insertions, 13 deletions
diff --git a/docs/releases.md b/docs/releases.md index 6968109..b032a4c 100644 --- a/docs/releases.md +++ b/docs/releases.md @@ -9,7 +9,8 @@ gocryptfs is released as Signing Key ----------- -Binary and source releases are signed using the *gocryptfs signing key*, key ID 23A02740. +Binary and source releases are signed using the *gocryptfs signing key*, key ID +`895F5BC123A02740` (gpg 1.x users only see the second half: `23A02740`). The public key can be downloaded [here](https://nuetzlich.net/gocryptfs-signing-key.pub). To verify signatures, you have to import it into gpg: @@ -22,21 +23,34 @@ Verify Git Tags Just call `git tag` with the `-v` flag, for example: - $ git tag -v v0.7 - [...] - gocryptfs v0.7 - gpg: Signature made So 20 Dez 2015 20:29:19 CET using RSA key ID 23A02740 - gpg: Good signature [...] +``` +$ git tag -v v1.4.4 +object 9c86daf499dca8a69b058ec56803d06fbba4fdab +type commit +tag v1.4.4 +tagger Jakob Unterwurzacher <jakobunt@gmail.com> 1521412204 +0100 + +gocryptfs v1.4.4 +gpg: Signature made Sun Mar 18 23:30:10 2018 CET +gpg: using RSA key 895F5BC123A02740 +gpg: Good signature from "Jakob Unterwurzacher (gocryptfs signing key) <jakobunt@gmail.com>" [unknown] +gpg: WARNING: This key is not certified with a trusted signature! +gpg: There is no indication that the signature belongs to the owner. +Primary key fingerprint: FFF3 E014 44FE D7C3 16A3 545A 895F 5BC1 23A0 2740 +``` Verify Binaries --------------- Download both the `.tar.gz` and the `.asc` file, then run `gpg --verify gocryptfs_XYZ.asc`, for example: - - $ gpg --verify gocryptfs_v0.7.1_debian8_amd64.tar.gz.asc - gpg: assuming signed data in `gocryptfs_v0.7.1_debian8_amd64.tar.gz' - gpg: Signature made Sa 09 Jan 2016 15:53:33 CET using RSA key ID 23A02740 - gpg: Good signature [...] - - +``` +$ gpg --verify gocryptfs_v1.4.4_linux-static_amd64.tar.gz.asc +gpg: assuming signed data in 'gocryptfs_v1.4.4_linux-static_amd64.tar.gz' +gpg: Signature made Sun Mar 18 23:32:47 2018 CET +gpg: using RSA key 895F5BC123A02740 +gpg: Good signature from "Jakob Unterwurzacher (gocryptfs signing key) <jakobunt@gmail.com>" [unknown] +gpg: WARNING: This key is not certified with a trusted signature! +gpg: There is no indication that the signature belongs to the owner. +Primary key fingerprint: FFF3 E014 44FE D7C3 16A3 545A 895F 5BC1 23A0 2740 +``` |