From ed863fcf6f05f19f8169c241fc752301bb52b513 Mon Sep 17 00:00:00 2001 From: rugk Date: Thu, 15 Sep 2016 15:50:46 +0200 Subject: [PATCH] Add signature verification instructions --- FAQ.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/FAQ.md b/FAQ.md index ef4a7f4..e71fe5e 100644 --- a/FAQ.md +++ b/FAQ.md @@ -75,6 +75,35 @@ However people have different security requirements and sometimes a fast way to ## Technical +### How can I securely clone/download your project? + +As of the PrivateBin 1.0 release we [cryptographically sign](https://git-scm.com/book/uz/v2/Git-Tools-Signing-Your-Work) our git commits and tags, so that you can verify we actually developed the software. Should the signature ever change, please look for a signed message of the current developers, which states that there is a new developer with a new signature. +Here is the workflow you should use for verifying commits or tags: + +1. Download our public keys [from PrivateBin.info](https://privatebin.info/credits.html). +2. Verify the keys. Here are our fingerprints: + [@elrido](https://github.com/elrido/): `1C2A 890A F113 5CEC 3681 666A 0F5C 940A 6BD8 1F92` + [@rugk](https://github.com/rugk): `ABA9 B8F6 F448 B07F D7EA 4A1A 05D4 0A63 6AFA B34D` + You can use `gpg --list-public-keys --fingerprint` to view the fingerprints of all public keys. +3. Import the keys [and adjust the trust level](https://www.gnupg.org/gph/en/manual/x334.html). We recommend that you sign the keys with your own or set the trust level to the highest one (not recommend). + **Note:** If you only update PrivateBin manually and do not automate the setup you can skip this step. +3. Now you can use [`git verify-commit HEAD`](https://git-scm.com/docs/git-verify-commit] to verify the latest commit or you can use [`git verify-tag `](https://git-scm.com/docs/git-verify-tag) to verify a specific tag. + You should get a message similar to this one: + + ``` + $ git verify-commit HEAD + gpg: Signature made Thu Sep 15 15:23:54 2016 CEST + gpg: using RSA key 0x05D40A636AFAB34D + gpg: Good signature from "rugk git (software signing only) " [] + Primary key fingerprint: ABA9 B8F6 F448 B07F D7EA 4A1A 05D4 0A63 6AFA B34D + ```` + + If you get a message that the signature is untrusted you may have skipped step 2. Now you should check the fingerprint shows in the output. If no one is shown you have to check the key with `gpg --list-public-keys --fingerprint` as mentioned above. +4. For subsequent updates it is enough to just run `git pull --verify-signatures`. It will check the signatures automatically and will notify you if a commit is not signed by a trusted PGP key. + Note that if you skipped step 2 the imported key is not trusted and the command may fail too. In this case you can just do a usual `git pull` and then use the steps explained above to verify the signature. + +**Note:** The GitHub wiki is currently not signed by anyone. + ### How should I setup HTTPS? There are many guides and test tools, which may help you how to setup HTTPS. Here are some recommendations: