From 7f93e6102a3720b21cdaee1278437382b2900857 Mon Sep 17 00:00:00 2001 From: Cem Keylan Date: Wed, 7 Apr 2021 10:32:09 +0300 Subject: update installation manual --- carbslinux.texi | 37 ++++++++++++++++++++++++++++++++++--- 1 file changed, 34 insertions(+), 3 deletions(-) (limited to 'carbslinux.texi') diff --git a/carbslinux.texi b/carbslinux.texi index 5ad5518..532bd38 100644 --- a/carbslinux.texi +++ b/carbslinux.texi @@ -207,12 +207,43 @@ sha256sum -c carbs-rootfs.tar.xz.sha256 @subsection Signature verification It is highly recommended to verify the signature of the tarball. You will need -GPG for this. +the OpenBSD tool @samp{signify(1)} for this. Many distributions provide a package for +it, if you are using a Carbs Linux host, you can also install the package +@samp{otools} which provides @samp{signify}. Download the signature first. @example wget $URL/carbs-rootfs.tar.xz.sig -gpg --recv-keys FF484BDFEFCEF8FF -gpg --verify carbs-rootfs.tar.xz.sig +@end example + +The signature file should say something similar to + +@example +untrusted comment: verify with carbslinux-2021.04.pub +RWTBBPDVQ+aHB3dme2Kerf8XY+vWkIISp7Za2ufKghtlnRXPyObAQQyvEJYrwMVTaCBlPEnSWcnHQz8Nka06YVOIeextNKZY3AQ= +@end example + + +Grab the key (which probably should be the latest one) that is written on the +file from @uref{https://dl.carbslinux.org/keys/} so you can verify the signature. The +latest Signify public key is also available on the @uref{https://git.carbslinux.org/repository, package repository}, so you can +check the validity of the public key from multiple locations, or just copy paste +that portion to a file and use that instead. + +@example +PUBKEY=carbslinux-2021.04.pub +wget https://dl.carbslinux.org/keys/$PUBKEY +@end example + +You can now verify the distribution tarball with signify. + +@example +signify -V -m carbs-rootfs.tar.xz -p $PUBKEY +@end example + +If everything went alright, this should output: + +@example +Signature Verified @end example @node Extracting the tarball -- cgit v1.2.3