From e8879f3e77542c9f5ddba0514d3f3ce12d39f6e6 Mon Sep 17 00:00:00 2001 From: Nick Craig-Wood Date: Mon, 11 Sep 2023 12:28:23 +0100 Subject: [PATCH] docs: document release signing and verification Fixes #7257 --- cmd/selfupdate/help.go | 9 +- docs/content/KEYS | 138 ++++++++++++++++++++++++++++ docs/content/downloads.md | 3 + docs/content/install.md | 3 + docs/content/release_signing.md | 158 ++++++++++++++++++++++++++++++++ 5 files changed, 307 insertions(+), 4 deletions(-) create mode 100644 docs/content/KEYS create mode 100644 docs/content/release_signing.md diff --git a/cmd/selfupdate/help.go b/cmd/selfupdate/help.go index d3044bb113cbe..ec3595b2da2ec 100644 --- a/cmd/selfupdate/help.go +++ b/cmd/selfupdate/help.go @@ -5,9 +5,10 @@ package selfupdate // Note: "|" will be replaced by backticks in the help string below var selfUpdateHelp = ` -This command downloads the latest release of rclone and replaces -the currently running binary. The download is verified with a hashsum -and cryptographically signed signature. +This command downloads the latest release of rclone and replaces the +currently running binary. The download is verified with a hashsum and +cryptographically signed signature; see [the release signing +docs](/release_signing/) for details. If used without flags (or with implied |--stable| flag), this command will install the latest stable release. However, some issues may be fixed @@ -40,7 +41,7 @@ your OS) to update these too. This command with the default |--package zip| will update only the rclone executable so the local manual may become inaccurate after it. -The |rclone mount| command (https://rclone.org/commands/rclone_mount/) may +The [rclone mount](/commands/rclone_mount/) command may or may not support extended FUSE options depending on the build and OS. |selfupdate| will refuse to update if the capability would be discarded. diff --git a/docs/content/KEYS b/docs/content/KEYS new file mode 100644 index 0000000000000..af442fb390509 --- /dev/null +++ b/docs/content/KEYS @@ -0,0 +1,138 @@ +This file contains the PGP keys that are and have been used to sign +rclone releases. + +Users: pgp < KEYS +or + gpg --import KEYS + +Developers: + pgp -kxa and append it to this file. +or + (pgpk -ll && pgpk -xa ) >> this file. +or + (gpg --list-sigs && gpg --armor --export ) >> this file. + +pub dsa1024 2001-09-27 [SCA] + FBF737ECE9F8AB18604BD2AC93935E02FF3B54FA +uid [ultimate] Nick Craig-Wood +sig 3 93935E02FF3B54FA 2001-09-27 Nick Craig-Wood +sig 3 93935E02FF3B54FA 2020-02-03 Nick Craig-Wood +sig 3 93935E02FF3B54FA 2001-09-27 Nick Craig-Wood +sig A54E275E4248E016 2019-11-04 [User ID not found] +sig CB0DBEBC5F32C81D 2023-09-03 Nick Craig-Wood +sub elg2048 2001-09-27 [E] +sig 93935E02FF3B54FA 2001-09-27 Nick Craig-Wood + +pub rsa4096 2022-09-16 [SC] + E3B358DC858FB307F48170B9CB0DBEBC5F32C81D +uid [ultimate] Nick Craig-Wood +sig 3 CB0DBEBC5F32C81D 2022-09-16 Nick Craig-Wood +sig 93935E02FF3B54FA 2023-09-03 Nick Craig-Wood +sub rsa4096 2022-09-16 [E] +sig CB0DBEBC5F32C81D 2022-09-16 Nick Craig-Wood + +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGiBDuy3V0RBADVQOAF5aFiCxD3t2h6iAF2WMiaMlgZ6kX2i/u7addNkzX71VU9 +7NpI0SnsP5YWt+gEedST6OmFbtLfZWCR4KWn5XnNdjCMNhxaH6WccVqNm4ALPIqT +59uVjkgf8RISmmoNJ1d+2wMWjQTUfwOEmoIgH6n+2MYNUKuctBrwAACflwCg1I1Q +O/prv/5hczdpQCs+fL87DxsD/Rt7pIXvsIOZyQWbIhSvNpGalJuMkW5Jx92UjsE9 +1Ipo3Xr6SGRPgW9+NxAZAsiZfCX/19knAyNrN9blwL0rcPDnkhdGwK69kfjF+wq+ +QbogRGodbKhqY4v+cMNkKiemBuTQiWPkpKjifwNsD1fNjNKfDP3pJ64Yz7a4fuzV +X1YwBACpKVuEen34lmcX6ziY4jq8rKibKBs4JjQCRO24kYoHDULVe+RS9krQWY5b +e0foDhru4dsKccefK099G+WEzKVCKxupstWkTT/iJwajR8mIqd4AhD0wO9W3MCfV +Ov8ykMDZ7qBWk1DHc87Ep3W1o8t8wq74ifV+HjhhWg8QAylXg7QlTmljayBDcmFp +Zy1Xb29kIDxuaWNrQGNyYWlnLXdvb2QuY29tPohXBBMRAgAXBQI7st1dBQsHCgME +AxUDAgMWAgECF4AACgkQk5NeAv87VPoPswCfaetrHxFhv6vpjadYWc6tyAZJHD4A +n2IfppvFB0vdOFgYBz/+u/6rN4p1iHEEExEIADEFCwcKAwQDFQMCAxYCAQIXgBYh +BPv3N+zp+KsYYEvSrJOTXgL/O1T6BQJeODZSAhkBAAoJEJOTXgL/O1T6WaYAniMf +kXJQvNK2OKy5O8ctNXPobjh5AJ9pHlAZkU+x56cTmJzZZ5BwFya2gYhXBBMRAgAX +BQI7st1dBQsHCgMEAxUDAgMWAgECF4AACgkQk5NeAv87VPoPswCgwDDvPZfRHenT +ca1r22pCum0FSlkAniLGFmVYPIcnMMF9OxQ6wBy34oZGiQIzBBABCgAdFiEEje07 +Kgm0YIzmpewHpU4nXkJI4BYFAl3Ap2EACgkQpU4nXkJI4BYFjw//Y3MtrkqtACWp +idlcLHRYpU+e17dhsZBP2afq56/B2zXFvtYnH0QyGN/YDjHMfK6Zi2Xxem7jg8ww +qH9s7eBAJUwbM6oAuhvQfdqpLCygAAep1ZKhuguSEUvJjoajqPQNjJE/aqini4Es +fnEVuK+y9L+smQvtFFx9U+PV7l6Z9WE3SFYtFvjUBL3FeaIfh36fUyj4xXR17Guj +ADtTHiWR4xElJ16NCj2VhfbE2wxoG2/SHDfHpzjW3B/pRJZOCOvJZcrtZRNqruff +8JGvLObswTlNiTn9rjc5lCPkMhnEke5i20BIymlPMlaNCE64AkkB/FDFed69b7u8 +R1E1LivBL0qoXIt1s8E+UW9ADBCxwloFeHroZhDPs6Y00EK+hGSJonB1pzguVc0u +MA9v9Gfcx099KQbfuSZefBCzpkktsmulb/59WEfK1Q4oVjdmCUG3/qwmLzAilzs6 +YaD75V6lp1lCON2jWod5xYSPsuvo2T0Exj4Q5MZcLVwqzH4UnmJPqdRVxWhhJEDE +qlsU+t0LCpDt4saVI5A91k5HMqFOJpX2hbLEx5OG3/gksED6FcZd1mwUVWEChjC0 +L6UNqpQZi+bNAX0CxY9XeqEIMN/EhLDbmLEwUHgMC3G4hX813k23mSWHBRsa0Mik +PCXX3tRioqPNF5ALl4gOmnF6ZD+WAQeJAjMEEAEIAB0WIQTjs1jchY+zB/SBcLnL +Db68XzLIHQUCZPRnNAAKCRDLDb68XzLIHZSAD/oCk9Z0xJfbpriphTBxFy7bWyPK +F1lM1GZZaLKkktGfunf1i0Q7rhwpNu+u1launlOTp6ZoY36Ce2Qa1eSxWAQdjVaj +w9kOHXCAewrTREOMY/mb7RVGjajo0Egl8T9iD3JRyaxu2iVtbpZYuqehtGG28CaC +zmtqE+EJcx1cGqAGSuuaDWRYlVX8KDip44GQB5Lut30vwSIoZG1CPCR6VE82u4cl +3mYZUfcJkCHsiLzoeadVzb+fOd+2ybzBn8Y77ifGgM+dSFSHe03mFfcHPdp0QImF +9HQR7XI0UMZmEJsw7c2vDrRa+kRY2A4/amGn4Tahuazq8g2yqgGm3yAj49qGNarA +au849lDr7R49j73ESnNVBGJ9ShzU4Ls+S1A5gohZVu2s1fkE3mbAmoTfU4JCrpRy +dOuL9xRJk5gbL44sKeuGODNshyTPJzG9DmRHpLsBn59v8mg5tqSfBIGqcqBxxnYH +JnkK801MkaLW2m7wDmtz6P3TW86gGukzfIN3/OufLjnpN3Nx376JwWDDIyif7sn6 +/q+ZMwGz9uLKZkAeM5c3Dh4ygpgliSLoV2bZzDz0iLxKWW7QOVVdWHmlEqbTldpQ +7gUEPG7mxpzVo0xd6nHncSq0M91x29It4B3fATx/iJB2eardMzSsbzHiwTg0eswh +YYGpSKZLgp4RShnVAbkCDQQ7st2BEAgAjpB0UGDf/FrWAUo9jLWKFX15J0arBZkY +m+iRax8K8fLnXzS2P+9Q04sAmt2qCUxK9681Nd7xtPrkPrjbcACwuFyH3Cr9o2qs +eiVNgAHPFGKCNxLX/9PKWfmdoZTOVVBcNV+sOTcx382uR04WPuv9jIwXT6JbCkXP +aoCMv3mLnB9VnWRYatPYCaK8TXAPWxZP8lrcUMjQ1GRTQ1vP9rRMp7iaXyItW1le +lNFvHEII92QddeBLK7V5ng2sX/BMm6/AafXZMnUQX3lpWQfEBTDT4qYsZ1zIEb4g +q4dqauyNYgBcZdX//8oDE+BS2FxxDTccyOW0Wyt2Z6flDTfhgzd46wADBQf+MAqI +gADwulmZk+e30Znj46VmnbZUB/J8M4WXg6X5xaOQsCCMAWybmCc4pxFIT/1c/GdC +qSHDv5nKBi5QyBMMn33/kgzVRAveihL6gWsNoT31Lxst457XuyRx1dwD8rzdWoP2 +b3etBGdu0P7vnOoqRmf1Y0XIoJeDk/o8U901hG2VAo5zAVH2YdEtSZqlBIAzxjak +KAAtnsZWIpBxrz9NPVOBmT18kxlgZ7P4iU4/FMnGOfzT6/LCTj/B0hZKJCP7y7lH +NP2yOabvvBsxU0ZGph1b8R6Zb1nP2+LQIi8kaBs8ypy7HDx7/mWe5DoyLe4NHQ/Z +E0gCEWt1mlVIwTzFBohGBBgRAgAGBQI7st2BAAoJEJOTXgL/O1T6YsEAoLZx0XLt +4tpAC/LNwTZUrodUiOckAKC4DTRvEtC4nj5EImssVk/xmU3ax5kCDQRjJI69ARAA +wCCaKZZmZe8mmusRuoHrqeVImFo+JUTNiktszB/l97INgZCSpVGFOcc4l4Weoioy +hObJV5wnpFjhadhpiRG1XYzNYi6vNKz8lsUkFxfkIFiXU2kRkwtQShiWf4LmobDQ +sY9SXRK2cVEFQwOqK9E0k99ZKoaQ31aqq1zcAzkRlBrJmjgmRJHX3DltA7z676Ap +YEJgAkDRBXFe3zViuxZ0/MMYqtwsbePvOMkXlPmQJ8havOjZRa0mEZtDekMt11vv +1bG1qFebMFuwYVd7YZ1kzL8NU8gNOtuW0E67Ts5voZdlZiQAbDke9V9uj9+hfae6 +vICrZ7eriPGVD6BetGNjUNFN+8fwHMycOvvHjZ/JlN8lCfw4ImK4F18ms51pqD74 +3w0b2VvoQOkkCzEyUReTixh60aMIabx8so4BmFdi7cK9E+4/WU933d+dSEVgr9Hp +ast2WoNTo7cPWgIcxSctWvq9AIULLDVytI2BVRbIRL5vZHNIlE839AVbef8SP5Vc +V+8xjNRw3bzpxhnu4TqYTrvexvq7YOsMxVc9qqN2w8w+Q6jL/0Hjq2fUouV6JH/u +6GY1vo9dCOXMROS/fD3qJfDIb/NZuYqnt2jQArJW2YVxL+4DE7yKvSNaHGY5kwEV +BrQCCTb16ANWxUHkBBuSP2+hYKrVQPAisdsovHRgcF0AEQEAAbQlTmljayBDcmFp +Zy1Xb29kIDxuaWNrQGNyYWlnLXdvb2QuY29tPokCTgQTAQgAOBYhBOOzWNyFj7MH +9IFwucsNvrxfMsgdBQJjJI69AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ +EMsNvrxfMsgdxW8QAIckFmxogPfLD6kqIoiZerqPRcz5rYBfxa7lgQkuoLaqWhCP +QR+e5Ug3bqxexkYQrTyZwqzTTgntTTWt4hSg75mgAujMQh1bsYbxcSHiLSh3Q8bO +AaX3o+ewycqKRvaVLYD7m/f8ZHgjRdwtEV3M9tVIOpa/KB51+3PM23Kx7pWP8RnT +mLhbxDCQTYE4yiLFPBIoG8NH1raLXonvLHP+wFs2OJ18fkq3DHTKK48dTRs/QyNl +/kgmuFUv/SyXDEoe9XdweNnN4N005R7bHW9iJEoV8KBFJi9/K89jokwrrRCUk1Pz +p/QXSKYLX59uqufL4LQOCtEhmVJPTQKCd4eUhvCva70efRm1fwqV/PHJDXB2Y84Q +oBPyxitFJGvBc1RsB3t1iO9IAuWnfFLYBayVGbpHseO5RdgJT/Q1hWeZTFi3vfXX +snuDSl5FcjLhDVe5rrAa/oAGki2fA7YOeK7PB0uwK7O8s2ZErDHnV99zYMVy7hnY +LhxDhic4mQ/1uJ/6mcEO+6NU4FM6EA0Bt28WTgRyOM2WnZ8xjBBmHtV4ucvmbQn1 +CCZUCe6HG06l8/soaMKiCZFS0CKwed9ymhlHPp5nyD3CJw53EKdEDQAjSOxc9sI0 +L5/P73ijRkOVz5xMtyxXXAnsyVa0yXo/rbzBGjKMcJeuAa1168a3ydu0gMMWiF0E +EBEIAB0WIQT79zfs6firGGBL0qyTk14C/ztU+gUCZPRnIgAKCRCTk14C/ztU+nDL +AJ99G+k/+uCkMnJuQazlb10HeiF4DwCgx+BNLTMkLduN9F+bqPsKq0oVsCa5Ag0E +YySOvQEQALoUUvMMNBKr7xMUVSe/lvBQUhzdthcDARdCf5m/UQoBYdyfYEA7m0x1 +5fKMl2duZdT9pYTSt60LeRXiC4bJaMCl60Nb2gwPF7ko32TFLpEyRHznVeEw+ExV +OU82lOWwI6AOFwHO4hL+wgK5RXV9qgve3n30ccTvKRHpjmQSa2YD3S5pO20KRsJt +iU8nm1+e7zXGEqWvR3L4QhJtN4Xtda+Gv95lH22Y+XnHri9MNMYbXrhTrOAig1ne +5GF3goG/yps6QyoV2zdY+Zqojpi9sCtRdiwbETbp8izQNV53QBqORIILBuzZpmqJ +gSNbbFsAdJkmPfLbjx57BieF2YUvsl0DtVc8KdN6UCrhQF2CNaGdWWpJyKF6AHkE +iIt0npvlgAM8ZZ0y0WF5XqefvIEMx7DmpKZ822gvR2aTmDJzPhgFTVhelVHDJ6NS +l5FUhA+DB1U7SwFULc2VFJdDa2zrnM0T+bz5cc8mi1zazzcBklzLNpRoT0Iex2LC ++KPFmsBbObKGffvDwQkEJgBJ9FweRGLfiHOo1V4E+QwIZhoch/H5u9+2J3Hp0S/r +H6Jn97AjYZMUVZBC4rICBaIevqaIuP/Qno2hRSkccF388lLBWRW/qa8vaRpk9Xgt +8umvLmnumEKmmWxF6rHZu34ijgnaWfuunydfiu/v0kd6H5tO8h9NABEBAAGJAjYE +GAEIACAWIQTjs1jchY+zB/SBcLnLDb68XzLIHQUCYySOvQIbDAAKCRDLDb68XzLI +HcZpD/oCT20Tufzh3YvRqd7+nAziHzPoz15bkd0Y2B9wAQ4kkT4o6/vSSqpQeBAL +UVh54cTaMkyFUTr53U5rK0QyEFrwa1j6wQvHSbOhaCAVacii9n8eyELI0755eCAN +7w7mRsS05hTgKdQwn4TKnb9FvST+TMyyBcL8IPnHcmYbiX1repRlUZ5VvyWtQDO2 +Z3BISWtOnMJjItQ9N8zj3KkeLVtWennroYpDEJo2qpb5Ga320Mijoh0Mm8r3uM7o +rarpfnEsUGiko++elHVbgv7iTxyfxV+ny14ROAcY6VtF8a6MUflKYnAJytD9fwGt +2+Of7CB72b3Zq47XLh7FXozqWL2zCVrU5u55NXKGaSRXmPec54RrtAF0BfGpkbHZ +W4xOS2E4IzBNf3rhh7Nj+4MCGmx7RuRzHvlkltS38ktXQmUfch8pFhLKW8byxFhu +Je3QS3vnKmA2dQzHKZDQj8uyHUUD0WQlBtaY2p7G4zFhuC+xNHDs8Xbo+NCgsmg7 +8qSub42rXViT0kK9xeAKr3qKbumQqIfXHWQvamFHJeIpvrLEffhWKZc83PXpL9wY +JP/Rm0jTtKJeqD8w7rnafOi9qKyE2FgpltdWzsUSPDjqMlCgCrggqtUzTgKYl1S/ +6jXcPGkEadKE/t3kelkupnlwlyVLxF7NaIrb8fAqCau0MWIh4g== +=Iv9u +-----END PGP PUBLIC KEY BLOCK----- diff --git a/docs/content/downloads.md b/docs/content/downloads.md index 96ea849a71d14..d1ae19af95e0a 100644 --- a/docs/content/downloads.md +++ b/docs/content/downloads.md @@ -29,6 +29,9 @@ See also [Android builds](https://beta.rclone.org/{{% version %}}/testbuilds/). These are built as part of the official release, but haven't been adopted as first class builds yet. +See [the release signing docs](/release_signing/) for how to verify +signatures on the release. + ## Script download and install ## To install rclone on Linux/macOS/BSD systems, run: diff --git a/docs/content/install.md b/docs/content/install.md index 1965e7d195394..e677c26c80cfb 100644 --- a/docs/content/install.md +++ b/docs/content/install.md @@ -22,6 +22,9 @@ run `rclone -h`. Already installed rclone can be easily updated to the latest version using the [rclone selfupdate](/commands/rclone_selfupdate/) command. +See [the release signing docs](/release_signing/) for how to verify +signatures on the release. + ## Script installation To install rclone on Linux/macOS/BSD systems, run: diff --git a/docs/content/release_signing.md b/docs/content/release_signing.md new file mode 100644 index 0000000000000..8e19303dca5c5 --- /dev/null +++ b/docs/content/release_signing.md @@ -0,0 +1,158 @@ +--- +title: "Release Signing" +description: "How the release is signed and how to check the signature." +--- + +# Release signing + +The hashes of the binary artefacts of the rclone release are signed +with a public PGP/GPG key. This can be verified manually as described +below. + +The same mechanism is also used by [rclone selfupdate](/commands/rclone_selfupdate/) +to verify that the release has not been tampered with before the new +update is installed. This checks the SHA256 hash and the signature +with a public key compiled into the rclone binary. + +## Release signing key + +You may obtain the release signing key from: + +- From [KEYS](/KEYS) on this website - this file contains all past signing keys also. +- The git repository hosted on GitHub - https://github.com/rclone/rclone/blob/master/docs/content/KEYS +- `gpg --keyserver hkps://keys.openpgp.org --search nick@craig-wood.com` +- `gpg --keyserver hkps://keyserver.ubuntu.com --search nick@craig-wood.com` +- https://www.craig-wood.com/nick/pub/pgp-key.txt + +After importing the key, verify that the fingerprint of one of the +keys matches: `FBF737ECE9F8AB18604BD2AC93935E02FF3B54FA` as this key is used for signing. + +We recommend that you cross-check the fingerprint shown above through +the domains listed below. By cross-checking the integrity of the +fingerprint across multiple domains you can be confident that you +obtained the correct key. + +- The [source for this page on GitHub](https://github.com/rclone/rclone/blob/master/docs/content/release_signing.md). +- Through DNS `dig key.rclone.org txt` + +If you find anything that doesn't not match, please contact the +developers at once. + +## How to verify the release + +In the release directory you will see the release files and some files called `MD5SUMS`, `SHA1SUMS` and `SHA256SUMS`. + +``` +$ rclone lsf --http-url https://downloads.rclone.org/v1.63.1 :http: +MD5SUMS +SHA1SUMS +SHA256SUMS +rclone-v1.63.1-freebsd-386.zip +rclone-v1.63.1-freebsd-amd64.zip +... +rclone-v1.63.1-windows-arm64.zip +rclone-v1.63.1.tar.gz +version.txt +``` + +The `MD5SUMS`, `SHA1SUMS` and `SHA256SUMS` contain hashes of the +binary files in the release directory along with a signature. + +For example: + +``` +$ rclone cat --http-url https://downloads.rclone.org/v1.63.1 :http:SHA256SUMS +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +f6d1b2d7477475ce681bdce8cb56f7870f174cb6b2a9ac5d7b3764296ea4a113 rclone-v1.63.1-freebsd-386.zip +7266febec1f01a25d6575de51c44ddf749071a4950a6384e4164954dff7ac37e rclone-v1.63.1-freebsd-amd64.zip +... +66ca083757fb22198309b73879831ed2b42309892394bf193ff95c75dff69c73 rclone-v1.63.1-windows-amd64.zip +bbb47c16882b6c5f2e8c1b04229378e28f68734c613321ef0ea2263760f74cd0 rclone-v1.63.1-windows-arm64.zip +-----BEGIN PGP SIGNATURE----- + +iF0EARECAB0WIQT79zfs6firGGBL0qyTk14C/ztU+gUCZLVKJQAKCRCTk14C/ztU ++pZuAJ0XJ+QWLP/3jCtkmgcgc4KAwd/rrwCcCRZQ7E+oye1FPY46HOVzCFU3L7g= +=8qrL +-----END PGP SIGNATURE----- +``` + +### Download the files + +The first step is to download the binary and SUMs file and verify that +the SUMs you have downloaded match. Here we download +`rclone-v1.63.1-windows-amd64.zip` - choose the binary (or binaries) +appropriate to your architecture. We've also chosen the `SHA256SUMS` +as these are the most secure. You could verify the other types of hash +also for extra security. `rclone selfupdate` verifies just the +`SHA256SUMS`. + +``` +$ mkdir /tmp/check +$ cd /tmp/check +$ rclone copy --http-url https://downloads.rclone.org/v1.63.1 :http:SHA256SUMS . +$ rclone copy --http-url https://downloads.rclone.org/v1.63.1 :http:rclone-v1.63.1-windows-amd64.zip . +``` + +### Verify the signatures + +First verify the signatures on the SHA256 file. + +Import the key. See above for ways to verify this key is correct. + +``` +$ gpg --keyserver keyserver.ubuntu.com --receive-keys FBF737ECE9F8AB18604BD2AC93935E02FF3B54FA +gpg: key 93935E02FF3B54FA: public key "Nick Craig-Wood " imported +gpg: Total number processed: 1 +gpg: imported: 1 +``` + +Then check the signature: + +``` +$ gpg --verify SHA256SUMS +gpg: Signature made Mon 17 Jul 2023 15:03:17 BST +gpg: using DSA key FBF737ECE9F8AB18604BD2AC93935E02FF3B54FA +gpg: Good signature from "Nick Craig-Wood " [ultimate] +``` + +Verify the signature was good and is using the fingerprint shown above. + +Repeat for `MD5SUMS` and `SHA1SUMS` if desired. + +### Verify the hashes + +Now that we know the signatures on the hashes are OK we can verify the +binaries match the hashes, completing the verification. + +``` +$ sha256sum -c SHA256SUMS 2>&1 | grep OK +rclone-v1.63.1-windows-amd64.zip: OK +``` + +Or do the check with rclone + +``` +$ rclone hashsum sha256 -C SHA256SUMS rclone-v1.63.1-windows-amd64.zip +2023/09/11 10:53:58 NOTICE: SHA256SUMS: improperly formatted checksum line 0 +2023/09/11 10:53:58 NOTICE: SHA256SUMS: improperly formatted checksum line 1 +2023/09/11 10:53:58 NOTICE: SHA256SUMS: improperly formatted checksum line 49 +2023/09/11 10:53:58 NOTICE: SHA256SUMS: 4 warning(s) suppressed... += rclone-v1.63.1-windows-amd64.zip +2023/09/11 10:53:58 NOTICE: Local file system at /tmp/check: 0 differences found +2023/09/11 10:53:58 NOTICE: Local file system at /tmp/check: 1 matching files +``` + +### Verify signatures and hashes together + +You can verify the signatures and hashes in one command line like this: + +``` +$ gpg --decrypt SHA256SUMS | sha256sum -c --ignore-missing +gpg: Signature made Mon 17 Jul 2023 15:03:17 BST +gpg: using DSA key FBF737ECE9F8AB18604BD2AC93935E02FF3B54FA +gpg: Good signature from "Nick Craig-Wood " [ultimate] +gpg: aka "Nick Craig-Wood " [unknown] +rclone-v1.63.1-windows-amd64.zip: OK +```