write verification instructions, and developer statement

This commit is contained in:
meejah 2020-12-20 19:09:34 -07:00
parent 3061e9f913
commit b0cb50b897
2 changed files with 61 additions and 1 deletions

View File

@ -173,7 +173,9 @@ from PyPI with ``venv/bin/pip install tahoe-lafs``. After installation, run
Install From a Source Tarball Install From a Source Tarball
----------------------------- -----------------------------
You can also install directly from the source tarball URL:: You can also install directly from the source tarball URL. To verify
signatures, first see verifying_signatures_ and replace the URL in the
following instructions with the local filename.
% virtualenv venv % virtualenv venv
New python executable in ~/venv/bin/python2.7 New python executable in ~/venv/bin/python2.7
@ -189,6 +191,39 @@ You can also install directly from the source tarball URL::
tahoe-lafs: 1.14.0 tahoe-lafs: 1.14.0
... ...
.. _verifying_signatures:
Verifying Signatures
--------------------
First download the source tarball and then any signatures. There are several
developers who are expected to produce signatures for a release. *At least
two signatures should be verified*.
This statement, signed by the existing Tahoe release-signing key, attests to
those developers authorized to sign a Tahoe release:
.. include:: developer-release-signatures
:code:
Signatures are made available beside the release. So for example, a release
like ``https://tahoe-lafs.org/downloads/tahoe-lafs-1.16.0.tar.bz2`` might
have signatures ``tahoe-lafs-1.16.0.tar.bz2.meejah.asc`` and
``tahoe-lafs-1.16.0.tar.bz2.warner.asc``.
To verify the signatures using GnuPG::
% gpg --verify tahoe-lafs-1.16.0.tar.bz2.meejah.asc tahoe-lafs-1.16.0.tar.bz2
gpg: Signature made XXX
gpg: using RSA key 9D5A2BD5688ECB889DEBCD3FC2602803128069A7
gpg: Good signature from "meejah <meejah@meejah.ca>" [full]
% gpg --verify tahoe-lafs-1.16.0.tar.bz2.warner.asc tahoe-lafs-1.16.0.tar.bz2
gpg: Signature made XXX
gpg: using RSA key 967EFE06699872411A77DF36D43B4C9C73225AAF
gpg: Good signature from "Brian Warner <warner@lothar.com>" [full]
Extras Extras
------ ------

View File

@ -0,0 +1,25 @@
TODO: clear-sign this with the release key
Any two of the following core Tahoe contributers may sign a
release. They each independantly produce a signature which are made
available beside Tahoe releases after 1.15.0
This statement is signed by the previous Tahoe release key. Any future
such statements may be signed by it OR by any two developers (for
example, to add or remove developers from the list).
meejah
0xC2602803128069A7
9D5A 2BD5 688E CB88 9DEB CD3F C260 2803 1280 69A7
https://meejah.ca/meejah.asc
jean-paul calderone
0x??
fingerprint
[url for key]
brian warner
0xD43B4C9C73225AAF
967E FE06 6998 7241 1A77 DF36 D43B 4C9C 7322 5AAF
http://www.lothar.com/warner-gpg.html