From e1ad86dd398dc0a2b7ca7e9f08ab350a232ac70e Mon Sep 17 00:00:00 2001
From: Jonathan Poole
- All our release artifacts are signed with a GPG key. If you want assurance that
+ All our release artifacts are signed with a private rsa key. If you want assurance that
they have not been tampered with since, you can use the signatures to verify them.
How can I verify the download of Please?
First, fetch the Please release key: -
gpg --recv-keys 3A6C0AE370E18496045687A9B85AEAE1AA1D5142
- This should receive key B85AEAE1AA1D5142
for
- Please Releases <releases@please.build>
.
+ To get the public key: +
+
+
+ curl -O https://please.build/key.pub
+
+
+
To verify the download script:
curl -O https://get.please.build/get_plz.sh
- curl -O https://get.please.build/get_plz.sh.asc
- gpg --verify get_plz.sh.asc get_plz.sh
+ curl -O https://get.please.build/get_plz.sh.sig
+ openssl dgst -sha256 -verify key.pub --signature get_plz.sh.sig get_plz.sh
You can now run that directly to install Please.
@@ -93,10 +98,10 @@
ARCH="linux_amd64"
- VERSION="16.0.0"
+ VERSION="17.0.0"
curl -O https://get.please.build/${ARCH}/${VERSION}/please_${VERSION}
- curl -O https://get.please.build/${ARCH}/${VERSION}/please_${VERSION}.asc
- gpg --verify please_${VERSION}.asc please_${VERSION}
+ curl -O https://get.please.build/${ARCH}/${VERSION}/please_${VERSION}.sig
+ openssl dgst -sha256 -verify key.pub --signature please_${VERSION}.sig please_${VERSION}
You can now use this Please binary on your machine as you please!
From c63e3c3c0b0e3e9e75bd7ee0d36dd456cab429fe Mon Sep 17 00:00:00 2001
From: Jonathan Poole - All our release artifacts are signed with a private rsa key. If you want assurance that + All our release artifacts are signed with a private RSA key. If you want assurance that they have not been tampered with since, you can use the signatures to verify them.