Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Import the Release Key (one time)This document describes how to verify the integrity of the 3YOURMIND deployable artifacts.

The EMail from 3YOURMIND containing the artefact will contain 4 links to 4 files:

  • The Archive 3yd-helm.tgz

  • The GPG public key (always the same) release-key.asc

  • The checksum of the archive sha256.sum

  • The signature of the checksum sha256.sum.sig

Import the Release Key

In order to validate the signature, import the release-key as follows:

Code Block
gpg --import release-key.asc

Then set the owner trust to something to ultimate:

Code Block
gpg --edit-key A0958AFDC814773189A8B35C46E54501B9FD10A4 trust
[Input]: 5
[Input]: y
[Input]: quit

This should only be done one time. The release key does not change.

Check validity:

To check the integrity of the code package follow the following steps:

  1. Download all 4 files into one folder

  2. Check the Checksum

    Code Block
    echo "$(cat sha256.sum)" | sha256sum --check


    This Must output:

    Code Block
    3yd-helm.tgz: OK

  3. Check the signature:

    Code Block
    gpg --verify sha256.sum.sig sha256.sum


    Must This must output something like:

    Code Block
    languagenone
    gpg: Signature made Thu Apr 22 12:57:33 2021 CEST
    gpg:                using RSA key A0958AFDC814773189A8B35C46E54501B9FD10A4
    gpg: Good signature from "3YOURMIND <security@3yourmind.com>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: A095 8AFD C814 7731 89A8  B35C 46E5 4501 B9FD 10Aultimate]