diff options
| -rw-r--r-- | carbslinux.org | 46 | ||||
| -rw-r--r-- | carbslinux.texi | 37 | ||||
| -rw-r--r-- | install.txt | 42 |
3 files changed, 116 insertions, 9 deletions
diff --git a/carbslinux.org b/carbslinux.org index 0cbe33b..05ad080 100644 --- a/carbslinux.org +++ b/carbslinux.org @@ -13,6 +13,11 @@ are used for assigning IDs to contribution guidelines. #+MACRO: contid [@@texinfo:@anchor{$1}@@$1] #+MACRO: sectid $2 [@@texinfo:@anchor{$1}@@$1] +#+NAME: pubkey +#+begin_src sh :exports none +PUBKEY=carbslinux-2021.04.pub +#+end_src + This is the full documentation of [[https://carbslinux.org][Carbs Linux]], from the details of the distribution, installation, to the package manager. It is not yet complete. @@ -150,14 +155,49 @@ sha256sum -c carbs-rootfs.tar.xz.sha256 :END: It is highly recommended to verify the signature of the tarball. You will need -GPG for this. +the OpenBSD tool =signify(1)= for this. Many distributions provide a package for +it, if you are using a Carbs Linux host, you can also install the package +=otools= which provides =signify=. Download the signature first. #+BEGIN_SRC sh wget $URL/carbs-rootfs.tar.xz.sig -gpg --recv-keys FF484BDFEFCEF8FF -gpg --verify carbs-rootfs.tar.xz.sig #+END_SRC +The signature file should say something similar to + +#+begin_src sh :exports results :results verbatim +curl -L https://dl.carbslinux.org/releases/x86_64/carbs-rootfs.tar.xz.sig +#+end_src + +#+RESULTS: +: untrusted comment: verify with carbslinux-2021.04.pub +: RWTBBPDVQ+aHB3dme2Kerf8XY+vWkIISp7Za2ufKghtlnRXPyObAQQyvEJYrwMVTaCBlPEnSWcnHQz8Nka06YVOIeextNKZY3AQ= + +Grab the key (which probably should be the latest one) that is written on the +file from [[https://dl.carbslinux.org/keys/]] so you can verify the signature. The +latest Signify public key is also available on the [[https://git.carbslinux.org/repository][package repository]], so you can +check the validity of the public key from multiple locations, or just copy paste +that portion to a file and use that instead. + +#+begin_src sh :noweb yes +<<pubkey>> +wget https://dl.carbslinux.org/keys/$PUBKEY +#+end_src + +You can now verify the distribution tarball with signify. + +#+begin_src sh +signify -V -m carbs-rootfs.tar.xz -p $PUBKEY +#+end_src + +If everything went alright, this should output: + +#+begin_example +Signature Verified +#+end_example + + + *** Extracting the tarball :PROPERTIES: :DESCRIPTION: Extracting the root filesystem to the desired location diff --git a/carbslinux.texi b/carbslinux.texi index 5ad5518..532bd38 100644 --- a/carbslinux.texi +++ b/carbslinux.texi @@ -207,12 +207,43 @@ sha256sum -c carbs-rootfs.tar.xz.sha256 @subsection Signature verification It is highly recommended to verify the signature of the tarball. You will need -GPG for this. +the OpenBSD tool @samp{signify(1)} for this. Many distributions provide a package for +it, if you are using a Carbs Linux host, you can also install the package +@samp{otools} which provides @samp{signify}. Download the signature first. @example wget $URL/carbs-rootfs.tar.xz.sig -gpg --recv-keys FF484BDFEFCEF8FF -gpg --verify carbs-rootfs.tar.xz.sig +@end example + +The signature file should say something similar to + +@example +untrusted comment: verify with carbslinux-2021.04.pub +RWTBBPDVQ+aHB3dme2Kerf8XY+vWkIISp7Za2ufKghtlnRXPyObAQQyvEJYrwMVTaCBlPEnSWcnHQz8Nka06YVOIeextNKZY3AQ= +@end example + + +Grab the key (which probably should be the latest one) that is written on the +file from @uref{https://dl.carbslinux.org/keys/} so you can verify the signature. The +latest Signify public key is also available on the @uref{https://git.carbslinux.org/repository, package repository}, so you can +check the validity of the public key from multiple locations, or just copy paste +that portion to a file and use that instead. + +@example +PUBKEY=carbslinux-2021.04.pub +wget https://dl.carbslinux.org/keys/$PUBKEY +@end example + +You can now verify the distribution tarball with signify. + +@example +signify -V -m carbs-rootfs.tar.xz -p $PUBKEY +@end example + +If everything went alright, this should output: + +@example +Signature Verified @end example @node Extracting the tarball diff --git a/install.txt b/install.txt index bfe8cae..59e892e 100644 --- a/install.txt +++ b/install.txt @@ -82,14 +82,50 @@ can be acquired as plain-text to be viewed offline with a pager from ~~~~~~~~~~~~~~~~~~~~~~~~~~ It is highly recommended to verify the signature of the tarball. You - will need GPG for this. + will need the OpenBSD tool `signify(1)' for this. Many distributions + provide a package for it, if you are using a Carbs Linux host, you can + also install the package `otools' which provides `signify'. Download + the signature first. ,---- | wget $URL/carbs-rootfs.tar.xz.sig - | gpg --recv-keys FF484BDFEFCEF8FF - | gpg --verify carbs-rootfs.tar.xz.sig `---- + The signature file should say something similar to + + ,---- + | untrusted comment: verify with carbslinux-2021.04.pub + | RWTBBPDVQ+aHB3dme2Kerf8XY+vWkIISp7Za2ufKghtlnRXPyObAQQyvEJYrwMVTaCBlPEnSWcnHQz8Nka06YVOIeextNKZY3AQ= + `---- + + + Grab the key (which probably should be the latest one) that is written + on the file from <https://dl.carbslinux.org/keys/> so you can verify + the signature. The latest Signify public key is also available on the + [package repository], so you can check the validity of the public key + from multiple locations, or just copy paste that portion to a file and + use that instead. + + ,---- + | PUBKEY=carbslinux-2021.04.pub + | wget https://dl.carbslinux.org/keys/$PUBKEY + `---- + + You can now verify the distribution tarball with signify. + + ,---- + | signify -V -m carbs-rootfs.tar.xz -p $PUBKEY + `---- + + If everything went alright, this should output: + + ,---- + | Signature Verified + `---- + + +[package repository] <https://git.carbslinux.org/repository> + 1.3 Extracting the tarball ~~~~~~~~~~~~~~~~~~~~~~~~~~ |