This document describes how to verify the integrity of the 3YOURMIND deployable artifacts.

The EMail from 3YOURMIND containing the artifact will contain 4 links to 4 files:

• The Archive 3yd-helm.tgz

• The GPG public key (always the same) release-key.asc

• The checksum of the archive sha256.sum

• The signature of the checksum sha256.sum.sig

Import the Release Key

In order to validate the signature, import the release-key as follows:

Then set the owner trust to something to ultimate:

This should only be done one time. The release key does not change.

Check validity:

To check the integrity of the code package follow the following steps:

1. Download all 4 files into one folder

2. Check the Checksum
   
   

   echo "$(cat sha256.sum)" | sha256sum --check

   
   This Must output:

    

3. Check the signature:

   
   This must output something like:

How to verify 3YOURMIND aggregator package

The EMail from 3YOURMIND containing the artifact(archive) will have 4 files:

• The aggregator archive aggregator-v1.5.2.zip

• The GPG public key (always the same) release-key.asc

• The checksum of the archive sha256.sum

• The signature of the checksum sha256.sum.sig

Import the Release Key

In order to validate the signature, import the release-key as follows:

Then set the owner trust to something to ultimate:

This should only be done one time. The release key does not change.

Check validity:

To check the integrity of the code package follow the following steps:

1. Download all 4 files into one folder

2. Check the Checksum
   
   

   
   This Must output:

    

3. Check the signature:

   
   This must output something like: