summaryrefslogtreecommitdiff
path: root/doc/install/verifying_downloads.mdwn
blob: c3413d43159c048c7317831cda5a7f033f7a0711 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
When you download a git-annex package from downloads.kitenet.net,
as listed in [[install]], you should use a https connection. That provides
some security, but here's some more.

The downloaded package's integrity can be verified by checking that
it was signed using the right GPG key, specifically the git-annex
distribution signing key. To do this, you need to download the .sig
file accompanying your package. Just append .sig to the url. 

For example, on Linux:

	$ wget http://downloads.kitenet.net/git-annex/linux/current/git-annex-standalone-amd64.tar.gz
	$ wget http://downloads.kitenet.net/git-annex/linux/current/git-annex-standalone-amd64.tar.gz.sig

You can then download the public key, and check that the package is signed
with it.

	$ wget https://downloads.kitenet.net/git-annex/gpg-pubkey.asc
	$ gpg --import gpg-pubey.asc
	$ gpg --verify git-annex-standalone-*.tar.gz.sig

(The git-annex assistant can automatically upgrade git-annex, and when it
does, it always checks the signature like that.)

But, how do you know that the gpg-pubkey.asc you downloaded
is the right key? The answer is the GPG web of trust. 

* Joey Hess generates these git-annex packages,
  and has a GPG key, [C910D9222512E3C Joey Hess <id@joeyh.name>](http://pgp.cs.uu.nl/stats/2512E3C7.html), which has
  been verified and signed by many people.
* Joey's GPG key has signed the git-annex distribution signing key.