Next: , Previous: , Up: Installation   [Index]

Tarballs integrity check

You have to verify downloaded tarballs authenticity to be sure that you retrieved trusted and untampered software. There are two options:

OpenPGP .asc signature

Use GNU Privacy Guard free software implementation. For the very first time it is necessary to get signing public key and import it. It is provided here, but you should check alternate resources.

pub   rsa2048/0x2B25868E75A1A953 2017-01-10
      92C2 F0AE FE73 208E 46BF  F3DE 2B25 868E 75A1 A953
uid   NNCP releases <releases at nncpgo dot org>
$ gpg --auto-key-locate dane --locate-keys releases at nncpgo dot org
$ gpg --auto-key-locate  wkd --locate-keys releases at nncpgo dot org
OpenSSH .sig signature

Public key and its OpenPGP signature made with the key above. Its fingerprint: SHA256:FRiWawVNBkyS3jFn8uZ/JlT+PWKSFbhWe5XSixp1+SY.

$ ssh-keygen -Y verify -f -I -n file \
    -s nncp-8.10.0.tar.zst.sig < nncp-8.10.0.tar.zst