mirror of
https://github.com/tahoe-lafs/tahoe-lafs.git
synced 2024-12-24 15:16:41 +00:00
write verification instructions, and developer statement
This commit is contained in:
parent
3061e9f913
commit
b0cb50b897
@ -173,7 +173,9 @@ from PyPI with ``venv/bin/pip install tahoe-lafs``. After installation, run
|
|||||||
Install From a Source Tarball
|
Install From a Source Tarball
|
||||||
-----------------------------
|
-----------------------------
|
||||||
|
|
||||||
You can also install directly from the source tarball URL::
|
You can also install directly from the source tarball URL. To verify
|
||||||
|
signatures, first see verifying_signatures_ and replace the URL in the
|
||||||
|
following instructions with the local filename.
|
||||||
|
|
||||||
% virtualenv venv
|
% virtualenv venv
|
||||||
New python executable in ~/venv/bin/python2.7
|
New python executable in ~/venv/bin/python2.7
|
||||||
@ -189,6 +191,39 @@ You can also install directly from the source tarball URL::
|
|||||||
tahoe-lafs: 1.14.0
|
tahoe-lafs: 1.14.0
|
||||||
...
|
...
|
||||||
|
|
||||||
|
.. _verifying_signatures:
|
||||||
|
|
||||||
|
Verifying Signatures
|
||||||
|
--------------------
|
||||||
|
|
||||||
|
First download the source tarball and then any signatures. There are several
|
||||||
|
developers who are expected to produce signatures for a release. *At least
|
||||||
|
two signatures should be verified*.
|
||||||
|
|
||||||
|
This statement, signed by the existing Tahoe release-signing key, attests to
|
||||||
|
those developers authorized to sign a Tahoe release:
|
||||||
|
|
||||||
|
.. include:: developer-release-signatures
|
||||||
|
:code:
|
||||||
|
|
||||||
|
Signatures are made available beside the release. So for example, a release
|
||||||
|
like ``https://tahoe-lafs.org/downloads/tahoe-lafs-1.16.0.tar.bz2`` might
|
||||||
|
have signatures ``tahoe-lafs-1.16.0.tar.bz2.meejah.asc`` and
|
||||||
|
``tahoe-lafs-1.16.0.tar.bz2.warner.asc``.
|
||||||
|
|
||||||
|
To verify the signatures using GnuPG::
|
||||||
|
|
||||||
|
% gpg --verify tahoe-lafs-1.16.0.tar.bz2.meejah.asc tahoe-lafs-1.16.0.tar.bz2
|
||||||
|
gpg: Signature made XXX
|
||||||
|
gpg: using RSA key 9D5A2BD5688ECB889DEBCD3FC2602803128069A7
|
||||||
|
gpg: Good signature from "meejah <meejah@meejah.ca>" [full]
|
||||||
|
% gpg --verify tahoe-lafs-1.16.0.tar.bz2.warner.asc tahoe-lafs-1.16.0.tar.bz2
|
||||||
|
gpg: Signature made XXX
|
||||||
|
gpg: using RSA key 967EFE06699872411A77DF36D43B4C9C73225AAF
|
||||||
|
gpg: Good signature from "Brian Warner <warner@lothar.com>" [full]
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Extras
|
Extras
|
||||||
------
|
------
|
||||||
|
|
||||||
|
25
docs/developer-release-signatures
Normal file
25
docs/developer-release-signatures
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
TODO: clear-sign this with the release key
|
||||||
|
|
||||||
|
|
||||||
|
Any two of the following core Tahoe contributers may sign a
|
||||||
|
release. They each independantly produce a signature which are made
|
||||||
|
available beside Tahoe releases after 1.15.0
|
||||||
|
|
||||||
|
This statement is signed by the previous Tahoe release key. Any future
|
||||||
|
such statements may be signed by it OR by any two developers (for
|
||||||
|
example, to add or remove developers from the list).
|
||||||
|
|
||||||
|
meejah
|
||||||
|
0xC2602803128069A7
|
||||||
|
9D5A 2BD5 688E CB88 9DEB CD3F C260 2803 1280 69A7
|
||||||
|
https://meejah.ca/meejah.asc
|
||||||
|
|
||||||
|
jean-paul calderone
|
||||||
|
0x??
|
||||||
|
fingerprint
|
||||||
|
[url for key]
|
||||||
|
|
||||||
|
brian warner
|
||||||
|
0xD43B4C9C73225AAF
|
||||||
|
967E FE06 6998 7241 1A77 DF36 D43B 4C9C 7322 5AAF
|
||||||
|
http://www.lothar.com/warner-gpg.html
|
Loading…
Reference in New Issue
Block a user