diff --git a/README.md b/README.md index a9e50fc..12e6fbe 100644 --- a/README.md +++ b/README.md @@ -9,20 +9,33 @@ It aims to: ## Verifying the AppImage -All AppImages in this repository are built directly from the official source code and include a signed authenticity proof to confirm they are unchanged and come from a trusted build process. +All AppImages in this repository are built directly from the official source code releases and include a signed authenticity proof (manifest + GPG signature) to confirm they are unchanged and come from my trusted build process. -**EXAMPLE** +### One-time setup (do this once) +Import the builder's public key from the repository root: +```bash +wget https://git.yourittech.support/yourittech.support/appimages/raw/branch/main/builder-pubkey.asc +gpg --import builder-pubkey.asc +``` -To verify a downloaded file (e.g. `Nextcloud-Talk-v2.1.1-x86_64.AppImage`): +### Verify a downloaded file (e.g. Nextcloud-Talk-v2.1.1-x86_64.AppImage) -1. Download the three files from the release: - - The AppImage itself - - `BUILD_INFO*.json` +1. Download these three files from the version folder (e.g. `/nextcloud_talk/v2.1.1/`): +- `Nextcloud-Talk-v2.1.1-x86_64.AppImage` +- `BUILD_INFO-Nextcloud-Talk-v2.1.1.json` +- `BUILD_INFO-Nextcloud-Talk-v2.1.1.json.asc` -2. Check file integrity - ```bash - sha256sum Nextcloud-Talk-v2.1.1-x86_64.AppImage - ``` - -3. `cat` the `BUILD_INFO*.json` and confirm the key. +2. Check the AppImage integrity with SHA256: +```bash +sha256sum Nextcloud-Talk-v2.1.1-x86_64.AppImage +``` +Compare the output to the value of `appimage_sha256` inside the `BUILD_INFO-Nextcloud-Talk-v2.1.1.json` file. +3. Verify the signed manifest (confirms the SHA256 and build info come from me): +```bash +gpg --verify BUILD_INFO-Nextcloud-Talk-v2.1.1.json.asc BUILD_INFO-Nextcloud-Talk-v2.1.1.json +``` +Look for: +``` +gpg: Good signature from "YourITtech.support" [...] +```