From b7f937c0ef53a36c0261791d2901f91fe3b3b761 Mon Sep 17 00:00:00 2001
From: Alex Jordan <alex@strugee.net>
Date: Mon, 4 Apr 2016 21:17:52 -0700
Subject: [PATCH] Document how to verify git tag signatures
As a bonus, squelch some Sphinx warnings.
---
docs/source/siteadmin/deploying.rst | 34 +++++++++++++++++++++++++++++++---
1 file changed, 31 insertions(+), 3 deletions(-)
diff --git a/docs/source/siteadmin/deploying.rst b/docs/source/siteadmin/deploying.rst
index 47901da..27a8ffd 100644
|
a
|
b
|
MediaGoblin has the following core dependencies:
|
| 65 | 65 | - `virtualenv <http://www.virtualenv.org/>`_ |
| 66 | 66 | - `nodejs <https://nodejs.org>`_ |
| 67 | 67 | |
| 68 | | On a DEB-based system (e.g Debian, gNewSense, Trisquel, |
| | 68 | On a DEB-based system (e.g Debian, gNewSense, Trisquel, \*buntu, and |
| 69 | 69 | derivatives) issue the following command:: |
| 70 | 70 | |
| 71 | 71 | sudo apt-get install git-core python python-dev python-lxml \ |
| … |
… |
Clone the MediaGoblin repository and set up the git submodules::
|
| 247 | 247 | |
| 248 | 248 | $ git remote set-url origin git://git.savannah.gnu.org/mediagoblin.git |
| 249 | 249 | |
| 250 | | Set up the hacking environment:: |
| | 250 | Before you do anything else, it's recommended to verify the integrity |
| | 251 | of the code you just cloned. You can do this with with, for example:: |
| | 252 | |
| | 253 | $ gpg --recv-keys 510A8628E2A776788F8C709C4BC025925FF8F4D3 |
| | 254 | $ git tag --verify v0.9.0 |
| | 255 | |
| | 256 | This will check the signature for MediaGoblin 0.9.0. If you're |
| | 257 | installing a different version, adjust the version number to match. |
| | 258 | |
| | 259 | The correct output for the above command would be:: |
| | 260 | |
| | 261 | object d1ac2d52fd8859c3f32fa38e4836ffe9615e5bba |
| | 262 | type commit |
| | 263 | tag v0.9.0 |
| | 264 | tagger Christopher Allan Webber <cwebber@dustycloud.org> 1459279054 -0700 |
| | 265 | |
| | 266 | MediaGoblin v0.9.0: The Three Goblineers! |
| | 267 | gpg: Signature made Tue 29 Mar 2016 12:17:39 PM PDT |
| | 268 | gpg: using RSA key 0x4BC025925FF8F4D3 |
| | 269 | gpg: Good signature from "Christopher Allan Webber <cwebber@dustycloud.org>" [unknown] |
| | 270 | gpg: WARNING: This key is not certified with a trusted signature! |
| | 271 | gpg: There is no indication that the signature belongs to the owner. |
| | 272 | Primary key fingerprint: 510A 8628 E2A7 7678 8F8C 709C 4BC0 2592 5FF8 F4D3 |
| | 273 | |
| | 274 | Note the warning about the key not being trusted. If possible, you |
| | 275 | should verify that the key fingerprint is correct, mark the key as |
| | 276 | trusted in GPG, and rerun `git tag --verify`. |
| | 277 | |
| | 278 | Now you can set up the hacking environment:: |
| 251 | 279 | |
| 252 | 280 | $ ./bootstrap.sh && ./configure && make |
| 253 | 281 | |
| … |
… |
into a directory that will be included in your ``nginx`` configuration
|
| 384 | 412 | (e.g. "``/etc/nginx/sites-enabled`` or ``/etc/nginx/conf.d``) with |
| 385 | 413 | one of the following commands. |
| 386 | 414 | |
| 387 | | On a DEB-based system (e.g Debian, gNewSense, Trisquel, |
| | 415 | On a DEB-based system (e.g Debian, gNewSense, Trisquel, \*buntu, and |
| 388 | 416 | derivatives) issue the following commands:: |
| 389 | 417 | |
| 390 | 418 | sudo ln -s /srv/mediagoblin.example.org/nginx.conf /etc/nginx/sites-enabled/ |
