aboutsummaryrefslogtreecommitdiffstats
path: root/README
diff options
context:
space:
mode:
Diffstat (limited to 'README')
-rw-r--r--README38
1 files changed, 38 insertions, 0 deletions
diff --git a/README b/README
new file mode 100644
index 0000000..2050388
--- /dev/null
+++ b/README
@@ -0,0 +1,38 @@
+These scripts are offered for trust and transparency in how I secure
+my software releases are not modified by an attacker. And also to enable
+to you easily perform the necessarily check. These scripts are licenced
+so that you can adapt them to your hosting of your own software.
+
+This is how it works: when I make a software release, a create and push
+a git tag, I know that my local git repositry is clean. This is used
+as the reference for truth. I also create a tarball for a static release.
+I then use ./gen-checksums which checks the tarball, along with my
+non-static releases (created by pushing the git tags), against my local
+git repositry. Once all releases have been validated, ./gen-checksums
+outputs the checksums for each tarball, using a number of hash functions.
+The checksums are not specifically tied to the tarballs, but rather listed
+as known good checksums.
+
+The checksums are published to my website, where all static files are
+signed, so the checksum listing can be trusted.
+
+When creating a package for a distribution, I download the tarball for
+the used mirror, and validate it against the checksum list using
+./validate-checksum which prints the checksum for a selected hash
+function. ./validate-checksum is primary intended for first party
+packaging.
+
+./maandree-dl can be used by package maintainers. It will download
+and validate the latest release (or a specific release of your choosing),
+but it will also fail if there are important changes that could effect
+how the packaging should be performed. ./maandree-dl will download the
+release from an arbitrary mirror (and try others until it finds one that
+is available). This is good for binary releases, but for releases that
+are built by the user from source, the release file should first be
+downloaded from the best mirror (./maandree-dl will validate the tarball
+if it's already downloaded).
+
+Additionally, I sign all git commits and git tags, however these
+signatures eventually become outdated as the used PGP key expires (or
+is revoked). The signatures for the checksum listings are always kept
+up to date with the key.
generated by cgit v1.2.3-70-g09d2 (git 2.48.0) at 2025-04-03 15:24:29 +0000