Previous: , Up: Installation  


Tarballs integrity check

You have to check downloaded archives integrity and verify their signature to be sure that you have got trusted, untampered software. For integrity and authentication of downloaded binaries GNU Privacy Guard is used. You must download signature (.sig) provided with the tarball.

For the very first time you need to import signing public key. It is provided below, but it is better to check alternative resources with it.

pub   rsa2048/0xBE033FCAB6C7005D 2020-09-01
      8D99 FD69 B6A7 98B2 43B9  3A36 BE03 3FCA B6C7 005D
uid   gostipsec releases <gostipsec at cypherpunks dot ru>
$ gpg --auto-key-locate dane --locate-keys gostipsec at cypherpunks dot ru
$ gpg --auto-key-locate wkd --locate-keys gostipsec at cypherpunks dot ru
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBF9OVP4BCAC5W2c/6ogp97zqMC0P9tCO2ZdNmGwv5Ig/D3gq1zZhoTUta95r
qiPbohjxZt/WFNQvKhcC3u7cjEJFbfqtDmOM/BimIPOCWIwq6fsu52UQ1e9JNYTv
C16xjP1dELgIddT1qHEQ8fKMiA/6jU+HYapzm2O+deThh8J/Chy7QUlTxuX0jLGD
NJC+vXJUvkteqLtOcMUFWV+paAMjYxaUR7Z1Lyx95JHAjPR+itXxqhV129/AsARU
8l/nY8OyiMhYL7hZ+iEFsEZYSxwKKIl97ToojxfSl3gDJLrzTlt/cmziygMaZPPP
vEh61//5f4ik8tbVmrLpj0A/ASOSPWAHUA2dABEBAAG0LWdvc3RpcHNlYyByZWxl
YXNlcyA8Z29zdGlwc2VjQGN5cGhlcnB1bmtzLnJ1PokBVwQTAQoAQQIbAwwLCgkN
CAwHCwMEAQIHFQoJCAsDAgUWAgEDAAIeAQIXgBYhBI2Z/Wm2p5iyQ7k6Nr4DP8q2
xwBdBQJfTlVEAAoJEL4DP8q2xwBdgLAH/iTEX3Io26f70s+i1NMX5hnLrMU2UGzy
fsS69SCOYF/HTr5izTiehqOsfNyEWCFrTpp/odA36UkeUG8kVe5cNAC6R+W2CftU
gJns9m9sVBqvh5PpP81/5ke/WwfhVW3XN0z9LePohozxLGoFbIByTWKqZ6OddmAb
eZ4ovMAHLDTwIS0Bx573amPvmEmeASI8fIhCgE25R5GXjRJHHl/qhBDeKQ8obZEz
oWht35lgqAZe35EwfNSsqUc8yDlGxhEb43XFcdgTSMOQ9ogEpm2K30loNGIjsLND
axAZmKSzQZN/HH8pexcgH5q4j3EO7pb9q0yQsL0s4LFV/2KNOP/TPSmIdQQQEQoA
HRYhBM9g6JpZIx524mNkIq4agQnkmFfvBQJfTlXAAAoJEK4agQnkmFfv3PsA/iEb
fFb0OlzZJRZKzDz5LTUtgYiXS1Bcf7MFKlpWqVm/AP44MrgGMx+p4VSrGDN6sUT3
NRqknlZiXZNRLzQAuY1zWA==
=D1tY
-----END PGP PUBLIC KEY BLOCK-----

Then you could verify tarballs signature:

$ gpg --verify gostipsec-v1.0.0.tar.zst.sig gostipsec-v1.0.0.tar.zst