...
The EMail from 3YOURMIND containing the artefact artifact will contain 4 links to 4 files:
...
Download all 4 files into one folder
Check the Checksum
Code Block echo "$(cat sha256.sum)" | sha256sum --check
This Must output:Code Block 3yd-helm.tgz: OK
Check the signature:
Code Block gpg --verify sha256.sum.sig sha256.sum
This must output something like:Code Block language none gpg: Signature made Thu Apr 22 12:57:33 2021 CEST gpg: using RSA key A0958AFDC814773189A8B35C46E54501B9FD10A4 gpg: Good signature from "3YOURMIND <security@3yourmind.com>" [ultimate]
How to verify 3YOURMIND aggregator package
The EMail from 3YOURMIND containing the artifact(archive) will have 4 files:
The aggregator archive
aggregator-v1.5.2.zipThe GPG public key (always the same)
release-key.ascThe checksum of the archive
sha256.sumThe signature of the checksum
sha256.sum.sig
Import the Release Key
In order to validate the signature, import the release-key as follows:
| Code Block |
|---|
gpg --import release-key.asc |
Then set the owner trust to something to ultimate:
| Code Block | ||
|---|---|---|
| ||
gpg --edit-key 46E54501B9FD10A4 trust
[Input]: 5
[Input]: y
[Input]: quit |
This should only be done one time. The release key does not change.
Check validity:
To check the integrity of the code package follow the following steps:
Download all 4 files into one folder
Check the Checksum
Code Block echo "$(cat sha256.sum)" | sha256sum --check
This Must output:Code Block aggregator-v1.5.2.zip: OKCheck the signature:
Code Block gpg --verify sha256.sum.sig sha256.sum
This must output something like:Code Block language bash gpg: Signature made Thu 26 Aug 2021 04:51:01 PM CEST gpg: using RSA key A0958AFDC814773189A8B35C46E54501B9FD10A4 gpg: Good signature from "3YOURMIND <security@3yourmind.com>" [ultimate]
...