1
0
Fork 0
mirror of https://github.com/borgbackup/borg.git synced 2025-01-19 05:49:14 +00:00

Merge pull request #3660 from dragetd/draget-backport-1.1-doc

Add docs on how to verify a signed release
This commit is contained in:
TW 2018-03-03 00:20:24 +01:00 committed by GitHub
commit bf6961f5bd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -24,5 +24,31 @@ GPG Key Fingerprint: 6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393
The public key can be fetched from any GPG keyserver, but be careful: you must
use the **full fingerprint** to check that you got the correct key.
`Releases <https://github.com/borgbackup/borg/releases>`_ are signed with this GPG key,
please use GPG to verify their authenticity.
Verifying signed releases
-------------------------
`Releases <https://github.com/borgbackup/borg/releases>`_ are signed with the same GPG key and a .asc file is provided for each binary.
To verify a signature, the public key needs to be known to GPG. It can be imported into the local keystore from a keyserver with the fingerprint:
gpg --recv-keys "6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393"
If GPG successfully imported the key, the output should be (among other things): 'Total number processed: 1'.
To verify for example the signature of the borg-linux64 binary:
gpg --verify borg-linux64.asc
GPG outputs if it finds a good signature. The output should look similar to this:
gpg: Signature made Sat 30 Dec 2017 01:07:36 PM CET using RSA key ID 51F78E01
gpg: Good signature from "Thomas Waldmann <email>"
gpg: aka "Thomas Waldmann <email>"
gpg: aka "Thomas Waldmann <email>"
gpg: aka "Thomas Waldmann <email>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393
Subkey fingerprint: 2F81 AFFB AB04 E11F E8EE 65D4 243A CFA9 51F7 8E01
If you want to make absolutely sure that you have the right key, you need to verify it via another channel and assign a trust-level to it.