highperfocused/raspiblitz
1
0
Fork 0
mirror of https://github.com/raspiblitz/raspiblitz.git synced 2025-10-10 12:53:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

#2630 adding info on sub key in FAQ

Browse Source
This commit is contained in:
rootzoll
2021-11-30 17:03:10 +01:00
parent 3a910729b1
commit 49d44abcca
1 changed files with 6 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
FAQ.md
View File

@@ -137,12 +137,6 @@
## Upgrade ## Upgrade
### Is using the prepared SD card image secure?
Using pre-built software almost always shifts trust to the one who made the binary. At least, you should [verify the SD card image after download](#how-to-verify-the-sd-card-image-after-download).
The best way would be to build the SD card yourself. You use the script `build_sdcard.sh` for this. Take a few minutes to check if you see anything suspicious in that build script and then follow the [README](README.md#build-the-sd-card-image) on this.
### How to verify the SD card image after download? ### How to verify the SD card image after download?
There are two methods, verify the hash (proves integrity) or the signature (proves integrity and authenticity) There are two methods, verify the hash (proves integrity) or the signature (proves integrity and authenticity)
@@ -160,18 +154,20 @@ But verifying the shasum does not prove to you that the SD card image was actual
To verify that the download was actually signed by [rootzoll](https://keybase.io/rootzoll) you need to use GPG and import the following public key: To verify that the download was actually signed by [rootzoll](https://keybase.io/rootzoll) you need to use GPG and import the following public key:
``` ```
curl --tlsv1.2 --proto =https https://keybase.io/rootzoll/pgp_keys.asc | gpg --import curl --tlsv1.2 --proto '=https' https://keybase.io/rootzoll/pgp_keys.asc | gpg --import
``` ```
Next, download the "signature file" for the SD card image. It's the same download link as for the image file - just added a `.sig` at the end. You should also always find the download link for the signature file in the README right below the image download link following the `SIGNATURE` link. Next, download the "signature file" for the SD card image. It's the same download link as for the image file - just added a `.sig` at the end. You should also always find the download link for the signature file in the README right next to the image download link.
If you know have all the three elements needed - the imported public key, the image signature and the image file itself - you can verify the download with: If you now have all the three elements needed - the imported public key, the image signature and the image file itself - you can verify the download with:
``` ```
gpg --verify [SIGNATURE-FILE] [IMAGE-FILE] gpg --verify [SIGNATURE-FILE] [IMAGE-FILE]
``` ```
As a result you should see a "good signature" message with a main fingerprint the same as you can find on the [keybase.io/rootzoll](https://keybase.io/rootzoll) that is ending on `1C73 060C 7C17 6461`. If that fingerprint is correct, the SD card image you downloaded is an original RaspiBlitz release. As a result you should see a "good signature" message with a main fingerprint the same as you can find on the [keybase.io/rootzoll](https://keybase.io/rootzoll) that is ending on `1C73 060C 7C17 6461`. You should also see the sub-key fingerprint ending on `AA9D D1B5 CC56 47DA`, that is used at the moment to sign the sd card image. If those fingerprints shown correctly, the SD card image you downloaded is an original RaspiBlitz release.
*You can ignore any warning about the key being 'not a trusted signature' or untrusted .. as long you see "good signature" and the correct main & sub fingerprints the download is valid.*
### What changed on every upgrade? ### What changed on every upgrade?