Ticket #787: 0001-Document-how-to-verify-git-tag-signatures-v2.patch

File 0001-Document-how-to-verify-git-tag-signatures-v2.patch, 3.0 KB (added by Alex Jordan, 5 years ago)

patch v2

  • docs/source/siteadmin/deploying.rst

    From b7f937c0ef53a36c0261791d2901f91fe3b3b761 Mon Sep 17 00:00:00 2001
    From: Alex Jordan <alex@strugee.net>
    Date: Mon, 4 Apr 2016 21:17:52 -0700
    Subject: [PATCH] Document how to verify git tag signatures
    
    As a bonus, squelch some Sphinx warnings.
    ---
     docs/source/siteadmin/deploying.rst | 34 +++++++++++++++++++++++++++++++---
     1 file changed, 31 insertions(+), 3 deletions(-)
    
    diff --git a/docs/source/siteadmin/deploying.rst b/docs/source/siteadmin/deploying.rst
    index 47901da..27a8ffd 100644
    a b MediaGoblin has the following core dependencies: 
    6565- `virtualenv <http://www.virtualenv.org/>`_
    6666- `nodejs <https://nodejs.org>`_
    6767
    68 On a DEB-based system (e.g Debian, gNewSense, Trisquel, *buntu, and
     68On a DEB-based system (e.g Debian, gNewSense, Trisquel, \*buntu, and
    6969derivatives) issue the following command::
    7070
    7171    sudo apt-get install git-core python python-dev python-lxml \
    Clone the MediaGoblin repository and set up the git submodules:: 
    247247
    248248    $ git remote set-url origin git://git.savannah.gnu.org/mediagoblin.git
    249249
    250 Set up the hacking environment::
     250Before you do anything else, it's recommended to verify the integrity
     251of the code you just cloned. You can do this with with, for example::
     252
     253    $ gpg --recv-keys 510A8628E2A776788F8C709C4BC025925FF8F4D3
     254    $ git tag --verify v0.9.0
     255
     256This will check the signature for MediaGoblin 0.9.0. If you're
     257installing a different version, adjust the version number to match.
     258
     259The correct output for the above command would be::
     260
     261    object d1ac2d52fd8859c3f32fa38e4836ffe9615e5bba
     262    type commit
     263    tag v0.9.0
     264    tagger Christopher Allan Webber <cwebber@dustycloud.org> 1459279054 -0700
     265
     266    MediaGoblin v0.9.0: The Three Goblineers!
     267    gpg: Signature made Tue 29 Mar 2016 12:17:39 PM PDT
     268    gpg:                using RSA key 0x4BC025925FF8F4D3
     269    gpg: Good signature from "Christopher Allan Webber <cwebber@dustycloud.org>" [unknown]
     270    gpg: WARNING: This key is not certified with a trusted signature!
     271    gpg:          There is no indication that the signature belongs to the owner.
     272    Primary key fingerprint: 510A 8628 E2A7 7678 8F8C  709C 4BC0 2592 5FF8 F4D3
     273
     274Note the warning about the key not being trusted. If possible, you
     275should verify that the key fingerprint is correct, mark the key as
     276trusted in GPG, and rerun `git tag --verify`.
     277
     278Now you can set up the hacking environment::
    251279
    252280    $ ./bootstrap.sh && ./configure && make
    253281
    into a directory that will be included in your ``nginx`` configuration 
    384412(e.g. "``/etc/nginx/sites-enabled`` or ``/etc/nginx/conf.d``) with
    385413one of the following commands.
    386414
    387 On a DEB-based system (e.g Debian, gNewSense, Trisquel, *buntu, and
     415On a DEB-based system (e.g Debian, gNewSense, Trisquel, \*buntu, and
    388416derivatives) issue the following commands::
    389417
    390418    sudo ln -s /srv/mediagoblin.example.org/nginx.conf /etc/nginx/sites-enabled/