From cd25e368114d0e0c000f0e59e2dfd59610e1a187 Mon Sep 17 00:00:00 2001 From: Peter Albrecht Date: Sun, 13 Dec 2020 17:00:00 +0100 Subject: [PATCH] Add PGP fingerprint to 020_installation.rst I like the idea of verifying the integrity of applications, I download from the internet. So I was very happy to see that restic does provide SHA256-checksums which are signed with the maintainers PGP key. The only thing I miss: I could not find a direct way to download the used PGP key and verify the keys fingerprint. Doing some searches, I found: * https://github.com/restic/rest-server/issues/121 * https://restic.net/blog/2015-09-16/verifying-code-archive-integrity/ To help other restic users, I think you should add information about your PGP key/fingerprint to this installation doc, too. To save you some precious time, I created a draft, how this doc might be expanded, in this pull-request. You are free to accept it or change the text to your liking. I copied the key/fingerprint text from: ``restic/restic/master/doc/090_participating.rst`` Thank you for your work in restic! --- doc/020_installation.rst | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/doc/020_installation.rst b/doc/020_installation.rst index b9f5f2bdc..c5133976e 100644 --- a/doc/020_installation.rst +++ b/doc/020_installation.rst @@ -188,8 +188,20 @@ are considered stable and releases are made regularly in a controlled manner. There's both pre-compiled binaries for different platforms as well as the source code available for download. Just download and run the one matching your system. -The official binaries can be updated in place using the ``restic self-update`` -command (needs restic 0.9.3 or later): +On your first installation, if you desire, you can verify the integrity of your +downloads by testing the SHA-256 checksums listed in ``SHA256SUMS`` and verifying +the integrity of the file ``SHA256SUMS`` with the PGP signature in ``SHA256SUMS.asc``. +The PGP signature was created using the key (`0x91A6868BD3F7A907 `__): + +:: + + pub 4096R/91A6868BD3F7A907 2014-11-01 + Key fingerprint = CF8F 18F2 8445 7597 3F79 D4E1 91A6 868B D3F7 A907 + uid Alexander Neumann + sub 4096R/D5FC2ACF4043FDF1 2014-11-01 + +Once downloaded, the official binaries can be updated in place using the +``restic self-update`` command (needs restic 0.9.3 or later): .. code-block:: console