Ticket #787: 0001-Document-how-to-verify-git-tag-signatures.patch

File 0001-Document-how-to-verify-git-tag-signatures.patch, 2.4 KB (added by Alex Jordan, 5 years ago)


  • docs/source/siteadmin/deploying.rst

    From d637e5b5944ea26c06a191fc6b59a1f984ba2ab6 Mon Sep 17 00:00:00 2001
    From: Alex Jordan <alex@strugee.net>
    Date: Mon, 4 Apr 2016 21:17:52 -0700
    Subject: [PATCH] Document how to verify git tag signatures
    As a bonus, squelch some Sphinx warnings.
     docs/source/siteadmin/deploying.rst | 27 ++++++++++++++++++++++++++-
     1 file changed, 26 insertions(+), 1 deletion(-)
    diff --git a/docs/source/siteadmin/deploying.rst b/docs/source/siteadmin/deploying.rst
    index 47901da..447a383 100644
    a b Clone the MediaGoblin repository and set up the git submodules:: 
    248248    $ git remote set-url origin git://git.savannah.gnu.org/mediagoblin.git
     250Before you do anything else, it's recommended to verify the integrity
     251of the code you just cloned. You can do this with::
     253    $ gpg --recv-keys 510A8628E2A776788F8C709C4BC025925FF8F4D3
     254    $ git tag --verify $(git tag --contains)
     256The output for MediaGoblin 0.9.0 (for example) would be::
     258    object d1ac2d52fd8859c3f32fa38e4836ffe9615e5bba
     259    type commit
     260    tag v0.9.0
     261    tagger Christopher Allan Webber <cwebber@dustycloud.org> 1459279054 -0700
     263    MediaGoblin v0.9.0: The Three Goblineers!
     264    gpg: Signature made Tue 29 Mar 2016 12:17:39 PM PDT
     265    gpg:                using RSA key 0x4BC025925FF8F4D3
     266    gpg: Good signature from "Christopher Allan Webber <cwebber@dustycloud.org>" [unknown]
     267    gpg: WARNING: This key is not certified with a trusted signature!
     268    gpg:          There is no indication that the signature belongs to the owner.
     269    Primary key fingerprint: 510A 8628 E2A7 7678 8F8C  709C 4BC0 2592 5FF8 F4D3
     271Note the warning about the key not being trusted. If possible, you
     272should verify that the key fingerprint is correct, mark the key as
     273trusted in GPG, and rerun `git tag --verify`.
    250275Set up the hacking environment::
    252277    $ ./bootstrap.sh && ./configure && make
    into a directory that will be included in your ``nginx`` configuration 
    384409(e.g. "``/etc/nginx/sites-enabled`` or ``/etc/nginx/conf.d``) with
    385410one of the following commands.
    387 On a DEB-based system (e.g Debian, gNewSense, Trisquel, *buntu, and
     412On a DEB-based system (e.g Debian, gNewSense, Trisquel, \*buntu, and
    388413derivatives) issue the following commands::
    390415    sudo ln -s /srv/mediagoblin.example.org/nginx.conf /etc/nginx/sites-enabled/