From cd25e368114d0e0c000f0e59e2dfd59610e1a187 Mon Sep 17 00:00:00 2001 From: Peter Albrecht Date: Sun, 13 Dec 2020 17:00:00 +0100 Subject: [PATCH 1/2] Add PGP fingerprint to 020_installation.rst I like the idea of verifying the integrity of applications, I download from the internet. So I was very happy to see that restic does provide SHA256-checksums which are signed with the maintainers PGP key. The only thing I miss: I could not find a direct way to download the used PGP key and verify the keys fingerprint. Doing some searches, I found: * https://github.com/restic/rest-server/issues/121 * https://restic.net/blog/2015-09-16/verifying-code-archive-integrity/ To help other restic users, I think you should add information about your PGP key/fingerprint to this installation doc, too. To save you some precious time, I created a draft, how this doc might be expanded, in this pull-request. You are free to accept it or change the text to your liking. I copied the key/fingerprint text from: ``restic/restic/master/doc/090_participating.rst`` Thank you for your work in restic! --- doc/020_installation.rst | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/doc/020_installation.rst b/doc/020_installation.rst index b9f5f2bdc..c5133976e 100644 --- a/doc/020_installation.rst +++ b/doc/020_installation.rst @@ -188,8 +188,20 @@ are considered stable and releases are made regularly in a controlled manner. There's both pre-compiled binaries for different platforms as well as the source code available for download. Just download and run the one matching your system. -The official binaries can be updated in place using the ``restic self-update`` -command (needs restic 0.9.3 or later): +On your first installation, if you desire, you can verify the integrity of your +downloads by testing the SHA-256 checksums listed in ``SHA256SUMS`` and verifying +the integrity of the file ``SHA256SUMS`` with the PGP signature in ``SHA256SUMS.asc``. +The PGP signature was created using the key (`0x91A6868BD3F7A907 `__): + +:: + + pub 4096R/91A6868BD3F7A907 2014-11-01 + Key fingerprint = CF8F 18F2 8445 7597 3F79 D4E1 91A6 868B D3F7 A907 + uid Alexander Neumann + sub 4096R/D5FC2ACF4043FDF1 2014-11-01 + +Once downloaded, the official binaries can be updated in place using the +``restic self-update`` command (needs restic 0.9.3 or later): .. code-block:: console From 8de4401bb5514ac796b36bf678877d186c1688cf Mon Sep 17 00:00:00 2001 From: Peter Albrecht Date: Fri, 19 Nov 2021 15:47:59 +0100 Subject: [PATCH 2/2] Changed URL for key-file The keyfile provided by restic's own webserver (https://restic.net) should be more stable than relying on public keyservers. So I changed the URL to the GPG keyfile, as recommended by MichaelEischer. --- doc/020_installation.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/020_installation.rst b/doc/020_installation.rst index c5133976e..577d273b2 100644 --- a/doc/020_installation.rst +++ b/doc/020_installation.rst @@ -191,7 +191,7 @@ code available for download. Just download and run the one matching your system. On your first installation, if you desire, you can verify the integrity of your downloads by testing the SHA-256 checksums listed in ``SHA256SUMS`` and verifying the integrity of the file ``SHA256SUMS`` with the PGP signature in ``SHA256SUMS.asc``. -The PGP signature was created using the key (`0x91A6868BD3F7A907 `__): +The PGP signature was created using the key (`0x91A6868BD3F7A907 `__): ::