aboutsummaryrefslogtreecommitdiff
blob: 3dc49a415a64cd3e38a6f6b9de063245cb4b5c2c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
---
title: 'Release media signatures'
navtitle: 'Signatures'
nav1: downloads
nav2: signatures
nav2-show: true
---
<p>
  Our current releases are signed with either of these keys <strong>or any sub keys:</strong>
</p>

<br>

<table class="table table-striped">
  <tr>
    <th>Key ID/Type/Fingerprint</th>
    <th>Description</th>
    <th>Created</th>
    <th>Expiry</th>
  </tr>
  <tr>
    <td><kbd>0xBB572E0E2D182910</kbd> (4096-bit RSA)<br>
    <kbd>13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910</kbd></td>
    <td>Gentoo Linux Release Engineering (Automated Weekly Release Key)</td>
    <td>2009-08-25</td>
    <td>2019-08-22</td>
  </tr>
  <tr>
    <td><kbd>0xDB6B8C1F96D8BF6D</kbd> (4096-bit RSA)<br>
    <kbd>DCD0 5B71 EAB9 4199 527F 44AC DB6B 8C1F 96D8 BF6D</kbd></td>
    <td>Gentoo ebuild repository signing key (Automated Signing Key)</td>
    <td>2011-11-25</td>
    <td>2020-01-01</td>
  </tr>
  <tr>
    <td><kbd>0xA13D0EF1914E7A72</kbd> (4096-bit RSA)<br>
    <kbd>EF95 38C9 E8E6 4311 A52C DEDF A13D 0EF1 914E 7A72</kbd></td>
    <td><a rel='external' href='https://github.com/gentoo-mirror/'>Gentoo repository mirrors</a> (automated git signing key)</td>
    <td>2018-05-28</td>
    <td>2019-05-29</td>
  </tr>
  <tr>
    <td><kbd>0x9E6438C817072058</kbd> (1024-bit DSA)<br>
    <kbd>D99E AC73 79A8 50BC E47D A5F2 9E64 38C8 1707 2058</kbd></td>
    <td>Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key)</td>
    <td>2004-07-20</td>
    <td>2020-07-01</td>
  </tr>
</table>

<br>

<div class="panel panel-default">
  <div class="panel-heading">
    <h3 class="panel-title"><span class="fa fa-fw fa-check-circle-o"></span> Verifying files</h3>
  </div>
  <div class="panel-body">
    <p>To verify downloaded files are not tampered with, you need the <tt>.DIGESTS</tt> file matching your release and the matching key from the table above.</p>

    <p>Fetch the key:</p>

    <p><kbd>gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys &lt;key id&gt;</kbd></p>

    <p>Verify the <tt>DIGESTS</tt> file:</p>

    <p><kbd>gpg --verify &lt;foo.DIGESTS.asc&gt;</kbd></p>

    <p>Verify the download matches the digests. At least one of the following will exist:</p>

    <p><kbd>sha512sum -c &lt;foo.DIGESTS.asc&gt;</kbd></p>
    <p><kbd>sha256sum -c &lt;foo.DIGESTS.asc&gt;</kbd></p>
    <p><kbd>sha1sum -c &lt;foo.DIGESTS.asc&gt;</kbd></p>

    <br>

    <div class="alert alert-info">
      Detailed instructions are available in the <a href="https://wiki.gentoo.org/wiki/Handbook:Main_Page" class="alert-link">Gentoo Handbook</a>.
    </div>
  </div>
</div>