Import the Release Key (one time)This document describes how to verify the integrity of the 3YOURMIND deployable artifacts.
The EMail from 3YOURMIND containing the artefact will contain 4 links to 4 files:
The Archive
3yd-helm.tgz
The GPG public key (always the same)
release-key.asc
The checksum of the archive
sha256.sum
The signature of the checksum
sha256.sum.sig
Import the Release Key
In order to validate the signature, import the release-key as follows:
Code Block |
---|
gpg --import release-key.asc |
Then set the owner trust to something to ultimate:
Code Block |
---|
gpg --edit-key A0958AFDC814773189A8B35C46E54501B9FD10A4 trust
[Input]: 5
[Input]: y
[Input]: quit |
This should only be done one time. The release key does not change.
Check validity:
To check the integrity of the code package follow the following steps:
Download all 4 files into one folder
Check the Checksum
Code Block echo "$(cat sha256.sum)" | sha256sum --check
This Must output:Code Block 3yd-helm.tgz: OK
Check the signature:
Code Block gpg --verify sha256.sum.sig sha256.sum
Must This must output something like:Code Block language none gpg: Signature made Thu Apr 22 12:57:33 2021 CEST gpg: using RSA key A0958AFDC814773189A8B35C46E54501B9FD10A4 gpg: Good signature from "3YOURMIND <security@3yourmind.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: A095 8AFD C814 7731 89A8 B35C 46E5 4501 B9FD 10Aultimate]