Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--_posts/2022-02-17-changed-signatures.md14
-rw-r--r--downloads/signatures/index.html12
2 files changed, 17 insertions, 9 deletions
diff --git a/_posts/2022-02-17-changed-signatures.md b/_posts/2022-02-17-changed-signatures.md
new file mode 100644
index 0000000..2713e2d
--- /dev/null
+++ b/_posts/2022-02-17-changed-signatures.md
@@ -0,0 +1,14 @@
+---
+title: 'Format of download file signatures has changed'
+---
+
+<a href="https://www.gentoo.org/downloads/" class="news-img-right">
+ <img src="https://www.gentoo.org/assets/img/logo/gentoo-signet.svg" alt="Gentoo logo" width="80"/>
+</a>
+
+We have simplified the format of the downloadable file (i.e. stage 3 and iso image) signatures.
+Now, each of these files is accompanied by a detached GnuPG signature where the file itself is signed.
+The signing key remains unchanged; see our [web page on release media signatures](https://www.gentoo.org/downloads/signatures/)
+for the fingerprints.
+
+An unsigned DIGESTS file remains available as well.
diff --git a/downloads/signatures/index.html b/downloads/signatures/index.html
index 144c886..9c3591d 100644
--- a/downloads/signatures/index.html
+++ b/downloads/signatures/index.html
@@ -69,7 +69,7 @@ nav2-show: true
<h3 class="panel-title"><span class="fa fa-fw fa-check-circle-o"></span> Verifying files</h3>
</div>
<div class="panel-body">
- <p>To verify downloaded files are not tampered with, you need the <tt>.DIGESTS</tt> file matching your release and the matching key from the table above.</p>
+ <p>To verify downloaded files are not tampered with, you need the <tt>.asc</tt> signature file matching your release and the matching key from the table above.</p>
<p>Fetch the key:</p>
@@ -79,15 +79,9 @@ nav2-show: true
<p><kbd>wget -O - https://qa-reports.gentoo.org/output/service-keys.gpg | gpg --import</kbd></p>
- <p>Verify the <tt>DIGESTS</tt> file:</p>
+ <p>Verify the signature:</p>
- <p><kbd>gpg --verify &lt;foo.DIGESTS.asc&gt;</kbd></p>
-
- <p>Verify the download matches the digests. At least one of the following will exist:</p>
-
- <p><kbd>sha512sum -c &lt;foo.DIGESTS.asc&gt;</kbd></p>
- <p><kbd>sha256sum -c &lt;foo.DIGESTS.asc&gt;</kbd></p>
- <p><kbd>sha1sum -c &lt;foo.DIGESTS.asc&gt;</kbd></p>
+ <p><kbd>gpg --verify &lt;foo.asc&gt;</kbd></p>
<br>