aboutsummaryrefslogtreecommitdiffstats
path: root/README
blob: 20503887be4221cb4f4360ffaeeb6cc3c5f4ed6e (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
These scripts are offered for trust and transparency in how I secure
my software releases are not modified by an attacker. And also to enable
to you easily perform the necessarily check. These scripts are licenced
so that you can adapt them to your hosting of your own software.

This is how it works: when I make a software release, a create and push
a git tag, I know that my local git repositry is clean. This is used
as the reference for truth. I also create a tarball for a static release.
I then use ./gen-checksums which checks the tarball, along with my
non-static releases (created by pushing the git tags), against my local
git repositry. Once all releases have been validated, ./gen-checksums
outputs the checksums for each tarball, using a number of hash functions.
The checksums are not specifically tied to the tarballs, but rather listed
as known good checksums.

The checksums are published to my website, where all static files are
signed, so the checksum listing can be trusted.

When creating a package for a distribution, I download the tarball for
the used mirror, and validate it against the checksum list using
./validate-checksum which prints the checksum for a selected hash
function. ./validate-checksum is primary intended for first party
packaging.

./maandree-dl can be used by package maintainers. It will download
and validate the latest release (or a specific release of your choosing),
but it will also fail if there are important changes that could effect
how the packaging should be performed. ./maandree-dl will download the
release from an arbitrary mirror (and try others until it finds one that
is available). This is good for binary releases, but for releases that
are built by the user from source, the release file should first be
downloaded from the best mirror (./maandree-dl will validate the tarball
if it's already downloaded).

Additionally, I sign all git commits and git tags, however these
signatures eventually become outdated as the used PGP key expires (or
is revoked). The signatures for the checksum listings are always kept
up to date with the key.