diff options
| author | Daniil Baturin <daniil@baturin.org> | 2023-08-22 17:25:59 +0100 |
|---|---|---|
| committer | Daniil Baturin <daniil@baturin.org> | 2023-08-22 17:29:05 +0100 |
| commit | dc18fbc41b2a2751f6264740e7acdbfa5ce508fe (patch) | |
| tree | f03c153e6d22495ca035127bf214229456396fd5 | |
| parent | e187a0c442583b5968d8a39662affabbfc722e28 (diff) | |
| download | community.vyos.net-dc18fbc41b2a2751f6264740e7acdbfa5ce508fe.tar.gz community.vyos.net-dc18fbc41b2a2751f6264740e7acdbfa5ce508fe.zip | |
Add signature verification instructions
| -rwxr-xr-x | scripts/list-nightly-builds.py | 2 | ||||
| -rw-r--r-- | site/get/nightly-builds.md | 20 |
2 files changed, 21 insertions, 1 deletions
diff --git a/scripts/list-nightly-builds.py b/scripts/list-nightly-builds.py index 81f9037..6d39a32 100755 --- a/scripts/list-nightly-builds.py +++ b/scripts/list-nightly-builds.py @@ -43,7 +43,7 @@ def render_image_list(images): tmpl = jinja2.Template(""" <ul> {% for i in images %} - <li><a href="{{i.iso_url}}">{{i.title}}</a> (<a href="{{i.sig_url}}">Minisign signature</a>)</li> + <li><a href="{{i.iso_url}}">{{i.title}}</a> (<a href="{{i.sig_url}}">sig</a>)</li> {% endfor %} </ul> """) diff --git a/site/get/nightly-builds.md b/site/get/nightly-builds.md index 5c485df..6bbbe08 100644 --- a/site/get/nightly-builds.md +++ b/site/get/nightly-builds.md @@ -10,4 +10,24 @@ for each build ensuring that basic functionality is working. In addition we load [configurations](https://github.com/vyos/vyos-1x/tree/current/smoketest/configs) to ensure there are no errors during config migration and system bootup. +## Verifying image signatures + +We use [minisign](https://jedisct1.github.io/minisign/) for release signing. To learn about its advantages +over GPG, read [signify: Securing OpenBSD From Us To You](https://www.openbsd.org/papers/bsdcan-signify.html). + +One obvious advantage is that you don't need to import the key anywhere, you can pass it as a command line argument. +Once you download an image and its `.minisig` file, you can verify its integrity with this command: + +``` +minisign -Vm <ISO file> -P RWTclGe42GmvIX/xnNiXdigNll7NSfpYGl1rj+sEERcLgoEsse5EwAgA +``` + +If in doubt, you can get the public key from the [nightly builds repository](https://github.com/vyos/vyos-rolling-nightly-builds/blob/main/minisign.pub). +If you are _really_ in doubt (i.e., you have a reason to suspect that the repository and/or this website were compromised), +you should report that to the maintainers. + +Currently, we create nightly builds with GitHub Actions and store them in releases of the [vyos/vyos-rolling-nightly-builds](https://github.com/vyos/vyos-rolling-nightly-builds/releases) +repository. Here is an auto-generated list of available builds. + ## Available builds + |