How to verify 3YOURMIND installation package

This document describes how to verify the integrity of the 3YOURMIND deployable artifacts.

The EMail from 3YOURMIND containing the artifact will contain 4 links to 4 files:

  • The Archive 3yd-helm.tgz

  • The GPG public key (always the same) release-key.asc

  • The checksum of the archive sha256.sum

  • The signature of the checksum sha256.sum.sig

 

Import the Release Key

In order to validate the signature, import the release-key as follows:

gpg --import release-key.asc

Then set the owner trust to something to ultimate:

gpg --edit-key A0958AFDC814773189A8B35C46E54501B9FD10A4 trust [Input]: 5 [Input]: y [Input]: quit

This should only be done one time. The release key does not change.

 

Check validity:

To check the integrity of the code package follow the following steps:

  1. Download all 4 files into one folder

  2. Check the Checksum

    echo "$(cat sha256.sum)" | sha256sum --check


    This Must output:

     

  3. Check the signature:


    This must output something like:

 

How to verify 3YOURMIND aggregator package

 

The EMail from 3YOURMIND containing the artifact(archive) will have 4 files:

  • The aggregator archive aggregator-v1.5.2.zip

  • The GPG public key (always the same) release-key.asc

  • The checksum of the archive sha256.sum

  • The signature of the checksum sha256.sum.sig

Import the Release Key

In order to validate the signature, import the release-key as follows:

Then set the owner trust to something to ultimate:

This should only be done one time. The release key does not change.

 

Check validity:

To check the integrity of the code package follow the following steps:

  1. Download all 4 files into one folder

  2. Check the Checksum


    This Must output:

     

  3. Check the signature:


    This must output something like: