-
Notifications
You must be signed in to change notification settings - Fork 515
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update verifying_builds.md #99
Conversation
I have just learned, that the Lineage team has changed the way they sign the public builds. I got to know why the **keytool** keep telling me: `Not a signed jar file` from this [post](https://forum.fairphone.com/t/official-lineageos-15-1-builds-not-signed/42173). Please update your wiki page! :-)
Also: the update_verifier uses an embedded public key, but I don't see any way to get a fingerprint of that key that is posted to a public site (as was done with the old method at https://wiki.lineageos.org/verifying-builds.html). What is the advantage of the new approach? Using the signed jar file inspired a lot of confidence because it is such a well-known method, and easy to test using a tool (keytool) from outside the site of the code we're validating. |
I suggest dropping the old instructions completely. There is no use in carrying sold stuff. The new way seems to work for old archives, too. (t least for the archive I've tested.) Anyway the new instructions have several issues: Preferable and recommended way is to use a virtual environment:
|
@brad2014 I described the way to re-establish the chain of trust after the way to verify public builds has changed here: https://www.goebel-consult.de/blog/really-verifying-lineageos-build-authenticity |
@htgoebel Thank you for your effort! |
On a side note, why aren't the builds just signed with gpg (e.g. with a detached signature) ? |
@ItzLevvie review.lineageos.org forcefully requires to have a google account - which excludes me from contributing. |
@haggertk Has this been solved, or why has this been closed? Closing issue without stating why is not a honest style and able to discourage contributors. |
@ItzLevvie Many thanks. |
I have just learned, that the Lineage team has changed the way they sign the public builds.
I got to know why the keytool keep telling me:
Not a signed jar file
from this post.Please update your wiki page! :-)