Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-01-12 15:59:37 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add git commit signature verification instructions

Browse Source
This commit is contained in:
Andrew David Wong 2017-03-06 19:22:16 -08:00
parent 5550c61fbf
commit 785bfa7ce3
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17
1 changed files with 16 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
installing/verifying-signatures.md
View File

@ -284,14 +284,26 @@ came from the Qubes devs.
Verifying Qubes Code Verifying Qubes Code
-------------------- --------------------
Developers who fetch code from our Git server should always verify tags on the Developers who fetch code from our Git server should always verify the PGP signature of the tag on the latest commit.
latest commit. Any commits that are not followed by a signed tag should not be In some cases, commits themselves may also be signed.
trusted! Any unsigned commit that is not followed by a signed tag should not be trusted!
To verify a signature on a git tag, you can use: To verify a signature on a git tag:
$ git tag -v <tag name> $ git tag -v <tag name>
or
$ git verify-tag <tag name>
To verify a signature on a git commit:
$ git log --show-signature <commit ID>
or
$ git verify-commit <commit ID>
[Qubes Master Signing Key]: https://keys.qubes-os.org/keys/qubes-master-signing-key.asc [Qubes Master Signing Key]: https://keys.qubes-os.org/keys/qubes-master-signing-key.asc
[keyserver]: https://en.wikipedia.org/wiki/Key_server_%28cryptographic%29#Keyserver_examples [keyserver]: https://en.wikipedia.org/wiki/Key_server_%28cryptographic%29#Keyserver_examples