From dc18fbc41b2a2751f6264740e7acdbfa5ce508fe Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Tue, 22 Aug 2023 17:25:59 +0100 Subject: Add signature verification instructions --- site/get/nightly-builds.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'site') diff --git a/site/get/nightly-builds.md b/site/get/nightly-builds.md index 5c485df..6bbbe08 100644 --- a/site/get/nightly-builds.md +++ b/site/get/nightly-builds.md @@ -10,4 +10,24 @@ for each build ensuring that basic functionality is working. In addition we load [configurations](https://github.com/vyos/vyos-1x/tree/current/smoketest/configs) to ensure there are no errors during config migration and system bootup. +## Verifying image signatures + +We use [minisign](https://jedisct1.github.io/minisign/) for release signing. To learn about its advantages +over GPG, read [signify: Securing OpenBSD From Us To You](https://www.openbsd.org/papers/bsdcan-signify.html). + +One obvious advantage is that you don't need to import the key anywhere, you can pass it as a command line argument. +Once you download an image and its `.minisig` file, you can verify its integrity with this command: + +``` +minisign -Vm -P RWTclGe42GmvIX/xnNiXdigNll7NSfpYGl1rj+sEERcLgoEsse5EwAgA +``` + +If in doubt, you can get the public key from the [nightly builds repository](https://github.com/vyos/vyos-rolling-nightly-builds/blob/main/minisign.pub). +If you are _really_ in doubt (i.e., you have a reason to suspect that the repository and/or this website were compromised), +you should report that to the maintainers. + +Currently, we create nightly builds with GitHub Actions and store them in releases of the [vyos/vyos-rolling-nightly-builds](https://github.com/vyos/vyos-rolling-nightly-builds/releases) +repository. Here is an auto-generated list of available builds. + ## Available builds + -- cgit v1.2.3