|
From: | Thomas Huth |
Subject: | Re: [qemu-web RFC PATCH] _download/source.html: show the GPG fingerprint for releases |
Date: | Mon, 8 Mar 2021 14:57:11 +0100 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0 |
On 08/03/2021 12.16, Alex Bennée wrote:
At the moment we mention the signature but don't actually say what it is or how to check it. Lets surface the fingerprint on the information along with a guide of how to verify the download. Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Cc: Michael Roth <mdroth@linux.vnet.ibm.com> Cc: Stefan Hajnoczi <stefanha@redhat.com> --- _download/source.html | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/_download/source.html b/_download/source.html index 35fd156..6c2f6f6 100644 --- a/_download/source.html +++ b/_download/source.html @@ -8,14 +8,21 @@ <div id="releases"> {% include releases.html %} </div> - <p>or stay on the bleeding edge with the - <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p> - + <p> + Our source code tarballs are signed with the release + managers key, fingerprint:
I'd like to suggest to replace the above sentence with: Our source code tarballs are signed with the<a href="http://hkps.pool.sks-keyservers.net/pks/lookup?op=vindex&fingerprint=on&search=0xCEACC9E15534EBABB82D3FA03353C9CEF108B584">release managers key</a>. The fingerprint of this key is:
+ <pre><code>CEAC C9E1 5534 EBAB B82D 3FA0 3353 C9CE F108 B584</code></pre>. + Alternatively stay on the bleeding edge with the + <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p> <h2>Build instructions</h2>{% for release in site.data.releases offset: 0 limit: 1 %}<p>To download and build QEMU {{release.branch}}.{{release.patch}}:</p> <pre>wget https://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz +# optional verify signature +wget https://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz.sig +gpg --output qemu-{{release.branch}}.{{release.patch}}.tar.xz --verify qemu-{{release.branch}}.{{release.patch}}.tar.xz.sig +# extract and build tar xvJf qemu-{{release.branch}}.{{release.patch}}.tar.xz cd qemu-{{release.branch}}.{{release.patch}} ./configure
Thomas
[Prev in Thread] | Current Thread | [Next in Thread] |