Table of Contents
This guide covers Zap release packages signing and how to verify the signatures on downloaded release artifacts.
Release signing allows users to verify that the artifacts they have downloaded were published by a trusted party (such as a team or package distribution service). This can be done using GPG command line tools. Package management tools such as
yum also verify repository signatures.
Importing Signing Keys
Before signatures can be verified, the Zap signing key must be downloaded. The key can be obtained directly or using the SKS keyservers pool. The direct download method is recommended because SKS servers are prone to overload.
Import from Keybase:
$ curl https://keybase.io/ln_zap/pgp_keys.asc | gpg --import
Import from Github:
$ curl -L https://github.com/LN-Zap/signing-keys/releases/download/1.0/zap-release-signing-key.asc --output zap-release-signing-key.asc $ gpg --import zap-release-signing-key.asc
Using a Key Server
The key can also be imported using an SKS keyservers pool:
$ gpg --keyserver "sks-keyservers.net" --recv-keys "539D6D2E45772011E6F21B427F267CF192D42A1A"
To check signatures for the packages, download the Zap signing key
and a signature file. Signature files use the
.asc extension, e.g.
$ gpg --verify [filename].asc
Here's an example session, after having retrieved a Zap source archive and its associated detached signature from the download area:
$ gpg --verify SHASUMS256.txt.asc gpg: Signature made Sat 17 Aug 15:48:54 2019 CEST gpg: using RSA key CD8D406569B5047AC1BD8CBB7C0D9E4A52F34905 gpg: issuer "email@example.com" gpg: Good signature from "Zap Solutions <firstname.lastname@example.org>" [ultimate]
If the signature is invalid, a "BAD signature" message will be emitted. If that's the case the origin of the package, the signature file and the signing key should be carefully verified. Packages that fail signature verification must not be used.
If the signature is valid, you should expect a "Good signature" message; if you've not signed our key, you will see a "Good signature" message along with a warning about our key being untrusted.
If you trust the Zap signing key you avoid the warning output by GnuPG by signing it using your own key (to create your private key run
$ gpg --sign-key 539D6D2E45772011E6F21B427F267CF192D42A1A
Once you have verified the authenticity of
SHASUMS256.txt.asc, you should re-calculate the
sha256 sum of the download, and compare that with the hashes shown in
$ shasum -a 256 [filename]
Here's an example session, after having retrieved a Zap release package and its associated detached signature from the download area, re-compute the sha256 hash of the target file for your operating system.
$ shasum -a 256 Zap-mac-v0.5.2-beta.dmg
The produced hash should be compared with the hashes listed in
SHASUMS256.txt.asc and they should match exactly.