Skip to content

Commit

Permalink
docs(verification): update fingerprint and key (#69)
Browse files Browse the repository at this point in the history
  • Loading branch information
@theborakompanioni
theborakompanioni authored Jan 20, 2025
1 parent 0aecfac commit aed46a5
Showing 1 changed file with 47 additions and 14 deletions.
61 changes: 47 additions & 14 deletions docs/software/verification.md
View file
Original file line number Diff line number Diff line change
@@ -1,33 +1,34 @@
# Verification

All [releases] are signed by one of the Jam [contributors]. As of this writing ([742,834][now]), releases are signed with [dergigi's PGP key][gigi] which has the following fingerprint:

All [releases] are signed by one of the Jam [contributors]. As of this writing ([863,123][now]), releases are signed with [tbk's PGP key][tbk] which has the following fingerprint:
```
8198 A185 30A5 22A0 9561 2439 89C4 A25E 69A5 DE7F
3550 2225 7551 EAB1 26D7 5616 E807 0AF0 053A AC0D
```


### v0.3.0 and above

To verify a specific release, import the key

```
curl https://dergigi.com/PGP.txt | gpg --import
curl https://raw.githubusercontent.com/joinmarket-webui/jam-docker/refs/heads/master/standalone/pubkeys/tbk.asc | gpg --import
```

and [verify the git tag][verify-tag] of your local copy:

[verify-tag]: https://git-scm.com/docs/git-verify-tag

```
git verify-tag v0.0.10
git verify-tag v0.3.0
```

This should produce an output that contains "good signature" as well as the key fingerprint mentioned above:

```
gpg: Signature made Fr 5 Aug 14:17:58 2022 CEST
gpg: using RSA key 8198A18530A522A09561243989C4A25E69A5DE7F
gpg: Good signature from "Gigi <[email protected]>" [unknown]
...
Primary key fingerprint: 8198 A185 30A5 22A0 9561 2439 89C4 A25E 69A5 DE7F
gpg: Signature made Wed 02 Oct 2024 10:19:46 AM UTC
gpg: using RSA key 355022257551EAB126D75616E8070AF0053AAC0D
gpg: Good signature from "theborakompanioni (no comment) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3550 2225 7551 EAB1 26D7 5616 E807 0AF0 053A AC0D
```

---
Expand All @@ -38,9 +39,41 @@ the version number on the [releases page][releases] on GitHub.

It should say that _"This tag was signed with the committer’s verified
signature"_ and show you the last 16 characters of the GPG key ID listed above
(`89C4 A25E 69A5 DE7F`).
(`E807 0AF0 053A AC0D`).

### Before v0.3.0

Releases before v0.3.0 were signed with [dergigi's PGP key][gigi] which has the following fingerprint:

```
8198 A185 30A5 22A0 9561 2439 89C4 A25E 69A5 DE7F
```

To verify a specific release, import the key

```
curl https://dergigi.com/PGP.txt | gpg --import
```

and [verify the git tag][verify-tag] of your local copy:

```
git verify-tag v0.0.10
```

This should produce an output that contains "good signature" as well as the key fingerprint mentioned above:

```
gpg: Signature made Fr 5 Aug 14:17:58 2022 CEST
gpg: using RSA key 8198A18530A522A09561243989C4A25E69A5DE7F
gpg: Good signature from "Gigi <[email protected]>" [unknown]
...
Primary key fingerprint: 8198 A185 30A5 22A0 9561 2439 89C4 A25E 69A5 DE7F
```

[verify-tag]: https://git-scm.com/docs/git-verify-tag
[releases]: https://github.com/joinmarket-webui/jam/releases
[contributors]: https://github.com/joinmarket-webui/jam/graphs/contributors
[now]: https://www.blockstream.info/block-height/742834
[now]: https://www.blockstream.info/block-height/863123
[tbk]: https://raw.githubusercontent.com/joinmarket-webui/jam-docker/refs/heads/master/standalone/pubkeys/tbk.asc
[gigi]: https://dergigi.com/pgp/

0 comments on commit aed46a5

Please sign in to comment.