Ticket #787: 0001-Document-how-to-verify-git-tag-signatures.patch

File 0001-Document-how-to-verify-git-tag-signatures.patch, 2.4 KB (added by Alex Jordan, 5 years ago)

patch

  • docs/source/siteadmin/deploying.rst

    From d637e5b5944ea26c06a191fc6b59a1f984ba2ab6 Mon Sep 17 00:00:00 2001
    From: Alex Jordan <alex@strugee.net>
    Date: Mon, 4 Apr 2016 21:17:52 -0700
    Subject: [PATCH] Document how to verify git tag signatures
    
    As a bonus, squelch some Sphinx warnings.
    ---
     docs/source/siteadmin/deploying.rst | 27 ++++++++++++++++++++++++++-
     1 file changed, 26 insertions(+), 1 deletion(-)
    
    diff --git a/docs/source/siteadmin/deploying.rst b/docs/source/siteadmin/deploying.rst
    index 47901da..447a383 100644
    a b Clone the MediaGoblin repository and set up the git submodules:: 
    247247
    248248    $ git remote set-url origin git://git.savannah.gnu.org/mediagoblin.git
    249249
     250Before you do anything else, it's recommended to verify the integrity
     251of the code you just cloned. You can do this with::
     252
     253    $ gpg --recv-keys 510A8628E2A776788F8C709C4BC025925FF8F4D3
     254    $ git tag --verify $(git tag --contains)
     255
     256The output for MediaGoblin 0.9.0 (for example) would be::
     257
     258    object d1ac2d52fd8859c3f32fa38e4836ffe9615e5bba
     259    type commit
     260    tag v0.9.0
     261    tagger Christopher Allan Webber <cwebber@dustycloud.org> 1459279054 -0700
     262
     263    MediaGoblin v0.9.0: The Three Goblineers!
     264    gpg: Signature made Tue 29 Mar 2016 12:17:39 PM PDT
     265    gpg:                using RSA key 0x4BC025925FF8F4D3
     266    gpg: Good signature from "Christopher Allan Webber <cwebber@dustycloud.org>" [unknown]
     267    gpg: WARNING: This key is not certified with a trusted signature!
     268    gpg:          There is no indication that the signature belongs to the owner.
     269    Primary key fingerprint: 510A 8628 E2A7 7678 8F8C  709C 4BC0 2592 5FF8 F4D3
     270
     271Note the warning about the key not being trusted. If possible, you
     272should verify that the key fingerprint is correct, mark the key as
     273trusted in GPG, and rerun `git tag --verify`.
     274
    250275Set up the hacking environment::
    251276
    252277    $ ./bootstrap.sh && ./configure && make
    into a directory that will be included in your ``nginx`` configuration 
    384409(e.g. "``/etc/nginx/sites-enabled`` or ``/etc/nginx/conf.d``) with
    385410one of the following commands.
    386411
    387 On a DEB-based system (e.g Debian, gNewSense, Trisquel, *buntu, and
     412On a DEB-based system (e.g Debian, gNewSense, Trisquel, \*buntu, and
    388413derivatives) issue the following commands::
    389414
    390415    sudo ln -s /srv/mediagoblin.example.org/nginx.conf /etc/nginx/sites-enabled/