Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Current »

This document describes how to verify the integrity of the 3YOURMIND deployable artifacts.

The EMail from 3YOURMIND containing the artefact will contain 4 links to 4 files:

  • The Archive 3yd-helm.tgz

  • The GPG public key (always the same) release-key.asc

  • The checksum of the archive sha256.sum

  • The signature of the checksum sha256.sum.sig

Import the Release Key

In order to validate the signature, import the release-key as follows:

gpg --import release-key.asc

Then set the owner trust to something to ultimate:

gpg --edit-key A0958AFDC814773189A8B35C46E54501B9FD10A4 trust
[Input]: 5
[Input]: y
[Input]: quit

This should only be done one time. The release key does not change.

Check validity:

To check the integrity of the code package follow the following steps:

  1. Download all 4 files into one folder

  2. Check the Checksum

    echo "$(cat sha256.sum)" | sha256sum --check


    This Must output:

    3yd-helm.tgz: OK

  3. Check the signature:

    gpg --verify sha256.sum.sig sha256.sum


    This must output something like:

    gpg: Signature made Thu Apr 22 12:57:33 2021 CEST
gpg:                using RSA key A0958AFDC814773189A8B35C46E54501B9FD10A4
gpg: Good signature from "3YOURMIND <security@3yourmind.com>" [ultimate]

  • No labels