Skip to content

Verifying Releases

Chris Dunlap edited this page Jan 6, 2020 · 6 revisions

Releases are signed with a GPG key. This key can be imported from the top-level KEYS file:

$ gpg --import KEYS
gpg: key 3B7ECB2B30DE0871: public key "Chris Dunlap <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Alternatively, this key can be fetched via URI:

$ gpg --fetch-keys https://github.com/dun.gpg
gpg: requesting key from 'https://github.com/dun.gpg'
gpg: key 3B7ECB2B30DE0871: public key "Chris Dunlap <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

To validate the authenticity of the key, check that it has a matching fingerprint. It should match the key fingerprint listed below:

$ gpg --fingerprint 0x3B7ECB2B30DE0871
pub   rsa4096 2011-10-01 [SC]
      A441 880C 3D4C 7C36 C5DD  41E1 3B7E CB2B 30DE 0871
uid           [ unknown] Chris Dunlap <[email protected]>
uid           [ unknown] Chris Dunlap <[email protected]>
uid           [ unknown] Chris Dunlap <[email protected]>
sub   rsa4096 2011-10-01 [E]

The Git tag for a release is signed with this GPG key. The GitHub release page will display a badge indicating whether this signature could be verified. This signature can also be verified with Git:

$ git tag --verify munge-0.5.13

A release consists of a compressed tarball, a detached GPG signature, and a cryptographic checksum:

munge-0.5.13.tar.xz
munge-0.5.13.tar.xz.asc
munge-0.5.13.tar.xz.sha512

The GPG signature file has the same name as the tarball file followed by the extension ".asc". It allows you to verify both the authenticity and integrity of the tarball. This ensures that the tarball has not been altered by an untrusted entity, and that it has been downloaded and stored correctly without errors:

$ gpg --verify munge-0.5.13.tar.xz.asc munge-0.5.13.tar.xz
gpg: Signature made Tue Sep 26 15:12:12 2017 PDT
gpg:                using RSA key 3B7ECB2B30DE0871
gpg: Good signature from "Chris Dunlap <[email protected]>" [unknown]
gpg:                 aka "Chris Dunlap <[email protected]>" [unknown]
gpg:                 aka "Chris Dunlap <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A441 880C 3D4C 7C36 C5DD  41E1 3B7E CB2B 30DE 0871

The checksum file has the same name as the tarball file followed by the extension ".sha512". This contains a checksum generated by the SHA-512 cryptographic hash function. It allows you to verify only the integrity of the tarball. This ensures that the tarball has been downloaded and stored correctly without errors, but does not provide any guarantee of authenticity:

$ sha512sum --check munge-0.5.13.tar.xz.sha512
munge-0.5.13.tar.xz: OK
Clone this wiki locally