arno/privatebin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add signature verification instructions

rugk 2016-09-15 15:50:46 +02:00
parent 36716edbf7
commit ed863fcf6f
1 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
FAQ.md

@ -75,6 +75,35 @@ However people have different security requirements and sometimes a fast way to
## Technical
### How can I securely clone/download your project?
As of the PrivateBin 1.0 release we [cryptographically sign](https://git-scm.com/book/uz/v2/Git-Tools-Signing-Your-Work) our git commits and tags, so that you can verify we actually developed the software. Should the signature ever change, please look for a signed message of the current developers, which states that there is a new developer with a new signature.
Here is the workflow you should use for verifying commits or tags:
1. Download our public keys [from PrivateBin.info](https://privatebin.info/credits.html).
2. Verify the keys. Here are our fingerprints:
[@elrido](https://github.com/elrido/): `1C2A 890A F113 5CEC 3681 666A 0F5C 940A 6BD8 1F92`
[@rugk](https://github.com/rugk): `ABA9 B8F6 F448 B07F D7EA 4A1A 05D4 0A63 6AFA B34D`
You can use `gpg --list-public-keys --fingerprint` to view the fingerprints of all public keys.
3. Import the keys [and adjust the trust level](https://www.gnupg.org/gph/en/manual/x334.html). We recommend that you sign the keys with your own or set the trust level to the highest one (not recommend).
**Note:** If you only update PrivateBin manually and do not automate the setup you can skip this step.
3. Now you can use [`git verify-commit HEAD`](https://git-scm.com/docs/git-verify-commit] to verify the latest commit or you can use [`git verify-tag <tag here>`](https://git-scm.com/docs/git-verify-tag) to verify a specific tag.
You should get a message similar to this one:
```
$ git verify-commit HEAD
gpg: Signature made Thu Sep 15 15:23:54 2016 CEST
gpg: using RSA key 0x05D40A636AFAB34D
gpg: Good signature from "rugk git (software signing only) <rugk@posteo.de>" [<trust level here>]
Primary key fingerprint: ABA9 B8F6 F448 B07F D7EA 4A1A 05D4 0A63 6AFA B34D
````
If you get a message that the signature is untrusted you may have skipped step 2. Now you should check the fingerprint shows in the output. If no one is shown you have to check the key with `gpg --list-public-keys --fingerprint` as mentioned above.
4. For subsequent updates it is enough to just run `git pull --verify-signatures`. It will check the signatures automatically and will notify you if a commit is not signed by a trusted PGP key.
Note that if you skipped step 2 the imported key is not trusted and the command may fail too. In this case you can just do a usual `git pull` and then use the steps explained above to verify the signature.
**Note:** The GitHub wiki is currently not signed by anyone.
### How should I setup HTTPS?
There are many guides and test tools, which may help you how to setup HTTPS. Here are some recommendations: