-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: move pgp verification instructions
Signed-off-by: Charles Moore <[email protected]>
- Loading branch information
1 parent
79d4054
commit 3631766
Showing
2 changed files
with
102 additions
and
99 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -177,105 +177,7 @@ You can download this package from: | |
|
|
||
| ### Verifying GitHub Releases | ||
|
|
||
| You can verify the authenticity of the release artifacts using the `gpg` command line tool. | ||
|
|
||
| 1) Download the desired release artifacts from the GitHub releases page. Make sure to download the corresponding PGP signature file (ending with `.sig`) as well. | ||
| For example, if you would like to verify your download of the wheel for version `1.2.3`, you should have the following files downloaded: | ||
| ``` | ||
| openjd_cli-1.2.3-py3-none-any.whl | ||
| openjd_cli-1.2.3-py3-none-any.whl.sig | ||
| ``` | ||
|
|
||
| 2) Install the `gpg` command line tool. The installation process varies by operating system. Please refer to the GnuPG website for instructions: https://gnupg.org/download/ | ||
|
|
||
| 3) Save the following contents to a file called `openjobdescription-pgp.asc`: | ||
| ``` | ||
| -----BEGIN PGP PUBLIC KEY BLOCK----- | ||
| mQINBGXGjx0BEACdChrQ/nch2aYGJ4fxHNQwlPE42jeHECqTdlc1V/mug+7qN7Pc | ||
| C4NQk4t68Y72WX/NG49gRfpAxPlSeNt18c3vJ9/sWTukmonWYGK0jQGnDWjuVgFT | ||
| XtvJAAQBFilQXN8h779Th2lEuD4bQX+mGB7l60Xvh7vIehE3C4Srbp6KJXskPLPo | ||
| dz/dx7a+GXRiyYCYbGX4JziXSjQZRc0tIaxLn/GDm7VnXpdHcUk3qJitree61oC8 | ||
| agtRHCH5s56E8wt8fXzyStElMkFIZsoLDlLp5lFqT81En9ho/+K6RLBkIj0mC8G7 | ||
| BafpHKlxkrIgNK3pWACL93GE6xihqwkZMCAeqloVvkOTdfAKDHuDSEHwKxHG3cZ1 | ||
| /e1YhtkPMVF+NMeoQavykUGVUT1bRoVNdk6bYsnbUjUI1A+JNf6MqvdRJyckZqEC | ||
| ylkBekBp/SFpFHvQkRCpfVizm2GSrjdZKgXpm1ZlQJyMRVzc/XPbqdSWhz52r3IC | ||
| eudwReHDc+6J5rs6tg3NbFfPVfCBMSqHlu1HRewWAllIp1+y6nfL4U3iEsUvZ1Y6 | ||
| IV3defHIP3kNPU14ZWf3G5rvJDZrIRnjoWhDcaVmivmB/cSdDzphL5FovSI8dsPm | ||
| iU/JZGQb3EvZq+nl4pOiK32hETJ/fgCCzgUA3WqGeFNUNSI9KYZgBe6daQARAQAB | ||
| tDRPcGVuIEpvYiBEZXNjcmlwdGlvbiA8b3BlbmpvYmRlc2NyaXB0aW9uQGFtYXpv | ||
| bi5jb20+iQJXBBMBCABBFiEEvBcWYrv5OB7Tl2sZovDwWbzECYcFAmXGjx0DGy8E | ||
| BQkDwmcABQsJCAcCAiICBhUKCQgLAgMWAgECHgcCF4AACgkQovDwWbzECYcSHRAA | ||
| itPYx48xnJiT6tfnult9ZGivhcXhrMlvirVYOqEtRrt0l18sjr84K8mV71eqFwMx | ||
| GS7e4iQP6guqW9biQfMA5/Id8ZjE7jNbF0LUGsY6Ktj+yOlAbTR+x5qr7Svb7oEs | ||
| TMB/l9HBZ1WtIRzcUk9XYqzvYQr5TT997A63F28u32RchJ+5ECAz4g/p91aWxwVo | ||
| HIfN10sGzttoukJCzC10CZAVscJB+nnoUbB/o3bPak6GUxBHpMgomb0K5g4Z4fXY | ||
| 4AZ9jKFoLgNcExdwteiUdSEnRorZ5Ny8sP84lwJziD3wuamVUsZ1C/KiQJBGTp5e | ||
| LUY38J1oIwptw5fqjaAq2GQxEaIknWQ4fr3ZvNYUuGUt5FbHe5U5XF34gC8PK7v7 | ||
| bT/7sVdZZzKFScDLfH5N36M5FrXfTaXsVbfrRoa2j7U0kndyVEZyJsKVAQ8vgwbJ | ||
| w/w2hKkyQLAg3l5yO5CHLGatsfSIzea4WoOAaroxiNtL9gzVXzqpw6qPEsH9hsws | ||
| HsPEQWXHmDQvFTNUU14qic1Vc5fyxCBXIAGAPBd20b+219XznJ5uBKUgtvnqcItj | ||
| nMYe6Btxh+pjrTA15X/p81z6sB7dkL1hPHfawLhCEzJbIPyyBTQYqY00/ap4Rj7t | ||
| kzSiyzBejniFfAZ6eYBWsej7uXUsVndBF1ggZynPTeE= | ||
| =iaEm | ||
| -----END PGP PUBLIC KEY BLOCK----- | ||
| ``` | ||
| 4) Import the OpenPGP key for Open Job Description by running the following command: | ||
| ``` | ||
| gpg --import --armor openjobdescription-pgp.asc | ||
| ``` | ||
| 5) Determine whether to trust the OpenPGP key. Some factors to consider when deciding whether or not to trust the above key are: | ||
| - The internet connection you’ve used to obtain the GPG key from this website is secure | ||
| - The device that you are accessing this website on is secure | ||
| If you have decided to trust the OpenPGP key, then edit the key to trust with `gpg` like the following example: | ||
| ``` | ||
| $ gpg --edit-key A2F0F059BCC40987 | ||
| gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc. | ||
| This is free software: you are free to change and redistribute it. | ||
| There is NO WARRANTY, to the extent permitted by law. | ||
| pub 4096R/BCC40987 created: 2024-02-09 expires: 2026-02-08 usage: SCEA | ||
| trust: unknown validity: unknown | ||
| [ unknown] (1). Open Job Description <[email protected]> | ||
| gpg> trust | ||
| pub 4096R/BCC40987 created: 2024-02-09 expires: 2026-02-08 usage: SCEA | ||
| trust: unknown validity: unknown | ||
| [ unknown] (1). Open Job Description <[email protected]> | ||
| Please decide how far you trust this user to correctly verify other users' keys | ||
| (by looking at passports, checking fingerprints from different sources, etc.) | ||
| 1 = I don't know or won't say | ||
| 2 = I do NOT trust | ||
| 3 = I trust marginally | ||
| 4 = I trust fully | ||
| 5 = I trust ultimately | ||
| m = back to the main menu | ||
| Your decision? 5 | ||
| Do you really want to set this key to ultimate trust? (y/N) y | ||
| pub 4096R/BCC40987 created: 2024-02-09 expires: 2026-02-08 usage: SCEA | ||
| trust: ultimate validity: unknown | ||
| [ unknown] (1). Open Job Description <[email protected]> | ||
| Please note that the shown key validity is not necessarily correct | ||
| unless you restart the program. | ||
| gpg> quit | ||
| ``` | ||
| 6) Verify the signature of the Open Job Description release via `gpg --verify`. The command for verifying the example files from step 1 would be: | ||
| ``` | ||
| gpg --verify ./openjd_cli-1.2.3-py3-none-any.whl.sig ./openjd_cli-1.2.3-py3-none-any.whl | ||
| ``` | ||
| See [VERIFYING_PGP_SIGNATURE](VERIFYING_PGP_SIGNATURE.md) for more information. | ||
|
|
||
| ## Security | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,101 @@ | ||
| ### Verifying GitHub Releases | ||
|
|
||
| You can verify the authenticity of the release artifacts using the `gpg` command line tool. | ||
|
|
||
| 1) Download the desired release artifacts from the GitHub releases page. Make sure to download the corresponding PGP signature file (ending with `.sig`) as well. | ||
| For example, if you would like to verify your download of the wheel for version `1.2.3`, you should have the following files downloaded: | ||
| ``` | ||
| openjd_cli-1.2.3-py3-none-any.whl | ||
| openjd_cli-1.2.3-py3-none-any.whl.sig | ||
| ``` | ||
|
|
||
| 2) Install the `gpg` command line tool. The installation process varies by operating system. Please refer to the GnuPG website for instructions: https://gnupg.org/download/ | ||
|
|
||
| 3) Save the following contents to a file called `openjobdescription-pgp.asc`: | ||
| ``` | ||
| -----BEGIN PGP PUBLIC KEY BLOCK----- | ||
| mQINBGXGjx0BEACdChrQ/nch2aYGJ4fxHNQwlPE42jeHECqTdlc1V/mug+7qN7Pc | ||
| C4NQk4t68Y72WX/NG49gRfpAxPlSeNt18c3vJ9/sWTukmonWYGK0jQGnDWjuVgFT | ||
| XtvJAAQBFilQXN8h779Th2lEuD4bQX+mGB7l60Xvh7vIehE3C4Srbp6KJXskPLPo | ||
| dz/dx7a+GXRiyYCYbGX4JziXSjQZRc0tIaxLn/GDm7VnXpdHcUk3qJitree61oC8 | ||
| agtRHCH5s56E8wt8fXzyStElMkFIZsoLDlLp5lFqT81En9ho/+K6RLBkIj0mC8G7 | ||
| BafpHKlxkrIgNK3pWACL93GE6xihqwkZMCAeqloVvkOTdfAKDHuDSEHwKxHG3cZ1 | ||
| /e1YhtkPMVF+NMeoQavykUGVUT1bRoVNdk6bYsnbUjUI1A+JNf6MqvdRJyckZqEC | ||
| ylkBekBp/SFpFHvQkRCpfVizm2GSrjdZKgXpm1ZlQJyMRVzc/XPbqdSWhz52r3IC | ||
| eudwReHDc+6J5rs6tg3NbFfPVfCBMSqHlu1HRewWAllIp1+y6nfL4U3iEsUvZ1Y6 | ||
| IV3defHIP3kNPU14ZWf3G5rvJDZrIRnjoWhDcaVmivmB/cSdDzphL5FovSI8dsPm | ||
| iU/JZGQb3EvZq+nl4pOiK32hETJ/fgCCzgUA3WqGeFNUNSI9KYZgBe6daQARAQAB | ||
| tDRPcGVuIEpvYiBEZXNjcmlwdGlvbiA8b3BlbmpvYmRlc2NyaXB0aW9uQGFtYXpv | ||
| bi5jb20+iQJXBBMBCABBFiEEvBcWYrv5OB7Tl2sZovDwWbzECYcFAmXGjx0DGy8E | ||
| BQkDwmcABQsJCAcCAiICBhUKCQgLAgMWAgECHgcCF4AACgkQovDwWbzECYcSHRAA | ||
| itPYx48xnJiT6tfnult9ZGivhcXhrMlvirVYOqEtRrt0l18sjr84K8mV71eqFwMx | ||
| GS7e4iQP6guqW9biQfMA5/Id8ZjE7jNbF0LUGsY6Ktj+yOlAbTR+x5qr7Svb7oEs | ||
| TMB/l9HBZ1WtIRzcUk9XYqzvYQr5TT997A63F28u32RchJ+5ECAz4g/p91aWxwVo | ||
| HIfN10sGzttoukJCzC10CZAVscJB+nnoUbB/o3bPak6GUxBHpMgomb0K5g4Z4fXY | ||
| 4AZ9jKFoLgNcExdwteiUdSEnRorZ5Ny8sP84lwJziD3wuamVUsZ1C/KiQJBGTp5e | ||
| LUY38J1oIwptw5fqjaAq2GQxEaIknWQ4fr3ZvNYUuGUt5FbHe5U5XF34gC8PK7v7 | ||
| bT/7sVdZZzKFScDLfH5N36M5FrXfTaXsVbfrRoa2j7U0kndyVEZyJsKVAQ8vgwbJ | ||
| w/w2hKkyQLAg3l5yO5CHLGatsfSIzea4WoOAaroxiNtL9gzVXzqpw6qPEsH9hsws | ||
| HsPEQWXHmDQvFTNUU14qic1Vc5fyxCBXIAGAPBd20b+219XznJ5uBKUgtvnqcItj | ||
| nMYe6Btxh+pjrTA15X/p81z6sB7dkL1hPHfawLhCEzJbIPyyBTQYqY00/ap4Rj7t | ||
| kzSiyzBejniFfAZ6eYBWsej7uXUsVndBF1ggZynPTeE= | ||
| =iaEm | ||
| -----END PGP PUBLIC KEY BLOCK----- | ||
| ``` | ||
| 4) Import the OpenPGP key for Open Job Description by running the following command: | ||
| ``` | ||
| gpg --import --armor openjobdescription-pgp.asc | ||
| ``` | ||
| 5) Determine whether to trust the OpenPGP key. Some factors to consider when deciding whether or not to trust the above key are: | ||
| - The internet connection you’ve used to obtain the GPG key from this website is secure | ||
| - The device that you are accessing this website on is secure | ||
| If you have decided to trust the OpenPGP key, then edit the key to trust with `gpg` like the following example: | ||
| ``` | ||
| $ gpg --edit-key A2F0F059BCC40987 | ||
| gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc. | ||
| This is free software: you are free to change and redistribute it. | ||
| There is NO WARRANTY, to the extent permitted by law. | ||
| pub 4096R/BCC40987 created: 2024-02-09 expires: 2026-02-08 usage: SCEA | ||
| trust: unknown validity: unknown | ||
| [ unknown] (1). Open Job Description <[email protected]> | ||
| gpg> trust | ||
| pub 4096R/BCC40987 created: 2024-02-09 expires: 2026-02-08 usage: SCEA | ||
| trust: unknown validity: unknown | ||
| [ unknown] (1). Open Job Description <[email protected]> | ||
| Please decide how far you trust this user to correctly verify other users' keys | ||
| (by looking at passports, checking fingerprints from different sources, etc.) | ||
| 1 = I don't know or won't say | ||
| 2 = I do NOT trust | ||
| 3 = I trust marginally | ||
| 4 = I trust fully | ||
| 5 = I trust ultimately | ||
| m = back to the main menu | ||
| Your decision? 5 | ||
| Do you really want to set this key to ultimate trust? (y/N) y | ||
| pub 4096R/BCC40987 created: 2024-02-09 expires: 2026-02-08 usage: SCEA | ||
| trust: ultimate validity: unknown | ||
| [ unknown] (1). Open Job Description <[email protected]> | ||
| Please note that the shown key validity is not necessarily correct | ||
| unless you restart the program. | ||
| gpg> quit | ||
| ``` | ||
| 6) Verify the signature of the Open Job Description release via `gpg --verify`. The command for verifying the example files from step 1 would be: | ||
| ``` | ||
| gpg --verify ./openjd_cli-1.2.3-py3-none-any.whl.sig ./openjd_cli-1.2.3-py3-none-any.whl | ||
| ``` |