From 72ee1737ce200db702aaa4793a3fb2f1f9144e7e Mon Sep 17 00:00:00 2001 From: Zygimantas <5236121+Zygimantass@users.noreply.github.com> Date: Fri, 6 Feb 2026 14:41:20 +0100 Subject: [PATCH 1/2] docs: add release signature verification guide (GPG, Cosign, SHA256) Amp-Thread-ID: https://ampcode.com/threads/T-019c3300-b327-77b3-8a99-fe893c195318 Co-authored-by: Amp --- src/pages/guide/node/installation.mdx | 69 +++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/src/pages/guide/node/installation.mdx b/src/pages/guide/node/installation.mdx index ef545119..cbced01a 100644 --- a/src/pages/guide/node/installation.mdx +++ b/src/pages/guide/node/installation.mdx @@ -48,3 +48,72 @@ docker pull ghcr.io/tempoxyz/tempo: docker run -d --name tempo ghcr.io/tempoxyz/tempo: --version docker logs tempo ``` + +## Verifying Releases + +All release artifacts are cryptographically signed starting from **v1.1.0**. We recommend verifying signatures before running any binary. + +### Binary Signatures (GPG) + +Release binaries are signed with GPG. The `tempoup` installer verifies signatures automatically when `gpg` is available. + +To verify manually: + +```bash +# Import the Tempo release signing key +gpg --keyserver keyserver.ubuntu.com --recv-keys EE3C5D41EA963E896F310EC3CBBFA54B20D33446 + +# Verify a downloaded binary +gpg --verify tempo-v1.1.0-x86_64-unknown-linux-gnu.tar.gz.asc \ + tempo-v1.1.0-x86_64-unknown-linux-gnu.tar.gz +``` + +A successful verification will show `Good signature from "Tempo Release Signing Key"`. + +**Fingerprint:** `EE3C 5D41 EA96 3E89 6F31 0EC3 CBBF A54B 20D3 3446` + +
+Public Key + +``` +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mDMEaYXmJhYJKwYBBAHaRw8BAQdAa+cO3zz4+YQuPgUCNXSW7ApNTCAIwx9wBfPc +lXyZBw20Xlp5Z2ltYW50YXMgTWFnZWxpbnNrYXMgKFRlbXBvIHJlbGVhc2Ugc2ln +bmluZyBrZXkgZm9yIDIwMjYgYW5kIG9ud2FyZHMpIDx6eWdpbWFudGFzQHRlbXBv +Lnh5ej6IkwQTFgoAOxYhBO48XUHqlj6JbzEOw8u/pUsg0zRGBQJpheYmAhsDBQsJ +CAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEMu/pUsg0zRGjJABAP8dy+gWx/E8 +EqzkKEUkEfLiRZ6n8APsc0aI5gqwfVAuAP99147oAq9cWVkNMh5PQmvdSG8MIx7Z +G4OIGIHqFwKSCA== +=o2TA +-----END PGP PUBLIC KEY BLOCK----- +``` + +
+ +### Docker Image Signatures (Cosign) + +Docker images are signed with [Cosign](https://docs.sigstore.dev/cosign/overview/) using keyless signing via GitHub Actions OIDC. + +To verify a Docker image: + +```bash +# Install cosign: https://docs.sigstore.dev/cosign/system_config/installation/ +cosign verify ghcr.io/tempoxyz/tempo:latest \ + --certificate-identity-regexp="https://github.com/tempoxyz/tempo/" \ + --certificate-oidc-issuer="https://token.actions.githubusercontent.com" +``` + +This verifies that the image was built and signed by the official Tempo CI pipeline. + +### SHA256 Checksums + +Every release archive includes a `.sha256` checksum file: + +```bash +# Download the checksum file +curl -sSfLO https://github.com/tempoxyz/tempo/releases/download/v1.1.0/tempo-v1.1.0-x86_64-unknown-linux-gnu.tar.gz.sha256 + +# Verify +shasum -a 256 -c tempo-v1.1.0-x86_64-unknown-linux-gnu.tar.gz.sha256 +``` From 2cae48ba20c27c6b44b31a77fde24cc30ec476de Mon Sep 17 00:00:00 2001 From: Zygimantas <5236121+Zygimantass@users.noreply.github.com> Date: Fri, 6 Feb 2026 14:46:50 +0100 Subject: [PATCH 2/2] docs: clarify signing starts after v1.1.0 Amp-Thread-ID: https://ampcode.com/threads/T-019c3300-b327-77b3-8a99-fe893c195318 Co-authored-by: Amp --- src/pages/guide/node/installation.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/guide/node/installation.mdx b/src/pages/guide/node/installation.mdx index cbced01a..65ddf278 100644 --- a/src/pages/guide/node/installation.mdx +++ b/src/pages/guide/node/installation.mdx @@ -51,7 +51,7 @@ docker logs tempo ## Verifying Releases -All release artifacts are cryptographically signed starting from **v1.1.0**. We recommend verifying signatures before running any binary. +All release artifacts are cryptographically signed starting after **v1.1.0**. We recommend verifying signatures before running any binary. ### Binary Signatures (GPG)