Skip to content

@Roasbeef Roasbeef released this Sep 27, 2019 · 2 commits to master since this release

Verifying the Release

In order to verify the release, you'll need to have gpg or gpg2 installed on your system. Once you've obtained a copy (and hopefully verified that as well), you'll first need to import the keys that have signed this release if you haven't done so already:

curl https://keybase.io/roasbeef/pgp_keys.asc | gpg --import

Once you have the required PGP keys, you can verify the release (assuming manifest-v0.1.0.txt and manifest-v0.1.0.txt.sig are in the current directory) with:

gpg --verify manifest-v0.1.0.txt.sig

You should see the following if the verification was successful:

pg: assuming signed data in 'manifest-v0.1.0.txt'
gpg: Signature made Fri Sep 27 09:07:13 2019 PDT
gpg:                using RSA key 4AB7F8DA6FAEBB3B70B1F903BC13F65E2DC84465
gpg: Good signature from "Olaoluwa Osuntokun <laolu32@gmail.com>" [ultimate]

That will verify the signature of the manifest file, which ensures integrity and authenticity of the binaries you've downloaded locally. Next, depending on your operating system you should then re-calculate the sha256 sum of the binary, and compare that with the following hashes (which are included in the manifest file):

4e6bd4913b46190b5da9f3608dfd024c35d07b855513250f07e53480f1b6462  chanleakcheck-darwin-386-v0.1.0.tar.gz
9aeffe608b6ab457f270cc6585fdcfecb6ae5d55ccd4e6bd33ea954bbbfd4345  chanleakcheck-darwin-amd64-v0.1.0.tar.gz
fadae59fbe10e9b82a3f07efc9af0a0915f331e988513d97dbd6800d1cbc033a  chanleakcheck-dragonfly-amd64-v0.1.0.tar.gz
29249b0580b22c72900ec9fc6836244f86c520573f6a9803c751ed55f8e4f683  chanleakcheck-freebsd-386-v0.1.0.tar.gz
65bd1f3a706d3e2e4b219f349a8101808a5bbb39424bdf33274fca201ec7f43d  chanleakcheck-freebsd-amd64-v0.1.0.tar.gz
29b6b39f402d4d8e134772c876be2149c333e761a1a7e3964488e89eccfd9c61  chanleakcheck-freebsd-arm-v0.1.0.tar.gz
b4040caefafe35bb969404010a9400fb51efe040e2f15bdaaee7f72b465de506  chanleakcheck-linux-386-v0.1.0.tar.gz
bf5db478f2efe0da35246730ed7fd9464d654a713522b877d28aa655a40af013  chanleakcheck-linux-amd64-v0.1.0.tar.gz
2a468f55c608e8fd0e7bde10aea84353e3015a08eae20d49f8c6b74531f98eb9  chanleakcheck-linux-arm64-v0.1.0.tar.gz
d5c791bdf8bb84793d7b755de42c67fcb69cceae8f12c1b062905b53c3896d12  chanleakcheck-linux-armv6-v0.1.0.tar.gz
13252cc57759ef00d7f8ee4d7b48fcf3738d40881c3c0aa5ef13f816ddb777cd  chanleakcheck-linux-armv7-v0.1.0.tar.gz
fb29c1c29ce2406d7959d17f12c213a5d3f4425e4bbe32b55f2a042682e03efc  chanleakcheck-linux-mips64-v0.1.0.tar.gz
79a8fabcd53b37179a7cd5ea804a570d1d3f5928b527f3c15af18e272937d92f  chanleakcheck-linux-mips64le-v0.1.0.tar.gz
a2bf3a646ded91d6c4998b3f833d74e82b7ef900f7a2e4d493bb0585fbe9966c  chanleakcheck-linux-ppc64-v0.1.0.tar.gz
fdba3eeb4bdf2e6d80b192f0c05ac333f653ac352e6df381919ce5125df79591  chanleakcheck-netbsd-386-v0.1.0.tar.gz
041a90d2b64a6e97d3e4808abf320cdd680d39c5be8bc234dea33c6792d1252b  chanleakcheck-netbsd-amd64-v0.1.0.tar.gz
a1be15e86949011141b1145d974d54ee5ce79e8480614f02ae97e5b478b30898  chanleakcheck-openbsd-386-v0.1.0.tar.gz
598004e5aa8addec3ea46ef777f4c70d3f9fe975609ea6de812074e88cdb82f4  chanleakcheck-openbsd-amd64-v0.1.0.tar.gz
16637208a819ced39405b0d53ffa6faf301e3c36e85204577be45d33845b9d95  chanleakcheck-source-v0.1.0.tar.gz
4b7d7ed6a9495e096cac1405ff10f230b5b437a19a39ccff51847f1a402b2436  chanleakcheck-windows-386-v0.1.0.zip
3b04acac1eb03c901c16adb38c8616249cee21f46dfdddf51d3ac6e9d6789c26  chanleakcheck-windows-amd64-v0.1.0.zip
5c0ccdf2052c12af812dfa2318ec031a2f9978b6503ec6838bacac3c95506bba  vendor.tar.gz

One can use the shasum -a 256 <file name here> tool in order to re-compute the sha256 hash of the target binary for your operating system. The produced hash should be compared with the hashes listed above and they should match exactly.

Finally, you can also verify the tag itself with the following command:

git verify-tag v0.1.0

In order to re-build from scratch, assuming that vendor.tar.gz and chanleakcheck-source-v0.1.0.tar.gz are in the current directory:

tar -xvzf vendor.tar.gz
tar -xvzf chanleakcheck-source-v0.1.0.tar.gz
GO111MODULE=on go install -v -mod=vendor -trimpath
GO111MODULE=on go install -v -mod=vendor -trimpath

The -mod=vendor flag tells the go build command that it doesn't need to fetch the dependencies, and instead, they're all enclosed in the local vendor directory.

Assets 26
You can’t perform that action at this time.