diff options
author | Joey Hess <joey@kitenet.net> | 2014-08-15 17:30:16 -0400 |
---|---|---|
committer | Joey Hess <joey@kitenet.net> | 2014-08-15 17:30:40 -0400 |
commit | 022e81407e7d806100a0882c0f23067a88b4900a (patch) | |
tree | b8035dc47239d6b687aa83adef0d45e11ac65969 /doc/install/verifying_downloads.mdwn | |
parent | 52089bbe73d95c5a2c06a3c58c507129335e5580 (diff) | |
parent | e9128138ef1e19a341d7edfda4db2d6b1f8f6b0a (diff) |
Merge branch 'master' into s3-aws
Conflicts:
git-annex.cabal
Diffstat (limited to 'doc/install/verifying_downloads.mdwn')
-rw-r--r-- | doc/install/verifying_downloads.mdwn | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/doc/install/verifying_downloads.mdwn b/doc/install/verifying_downloads.mdwn new file mode 100644 index 000000000..c3413d431 --- /dev/null +++ b/doc/install/verifying_downloads.mdwn @@ -0,0 +1,31 @@ +When you download a git-annex package from downloads.kitenet.net, +as listed in [[install]], you should use a https connection. That provides +some security, but here's some more. + +The downloaded package's integrity can be verified by checking that +it was signed using the right GPG key, specifically the git-annex +distribution signing key. To do this, you need to download the .sig +file accompanying your package. Just append .sig to the url. + +For example, on Linux: + + $ wget http://downloads.kitenet.net/git-annex/linux/current/git-annex-standalone-amd64.tar.gz + $ wget http://downloads.kitenet.net/git-annex/linux/current/git-annex-standalone-amd64.tar.gz.sig + +You can then download the public key, and check that the package is signed +with it. + + $ wget https://downloads.kitenet.net/git-annex/gpg-pubkey.asc + $ gpg --import gpg-pubey.asc + $ gpg --verify git-annex-standalone-*.tar.gz.sig + +(The git-annex assistant can automatically upgrade git-annex, and when it +does, it always checks the signature like that.) + +But, how do you know that the gpg-pubkey.asc you downloaded +is the right key? The answer is the GPG web of trust. + +* Joey Hess generates these git-annex packages, + and has a GPG key, [C910D9222512E3C Joey Hess <id@joeyh.name>](http://pgp.cs.uu.nl/stats/2512E3C7.html), which has + been verified and signed by many people. +* Joey's GPG key has signed the git-annex distribution signing key. |