Skip to content

Commit

Permalink
Instructions for verification to include cosign
Browse files Browse the repository at this point in the history
  • Loading branch information
mendhak committed Nov 7, 2024
1 parent 03401f9 commit 445a966
Showing 1 changed file with 21 additions and 7 deletions.
28 changes: 21 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,17 +30,31 @@ I'm not very good at UIs, so any work with the layouts would be appreciated!

## Verifying

It's good practice to verify downloads. In recent releases, a PGP signature and an SHA256 checksum will accompany each `.apk`.
It's good practice to verify downloads. A PGP signature, Cosign bundle, and an SHA256 checksum will accompany each `.apk`.

Import PGP Public Key from [the Ubuntu Keyserver](https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x95e7d75c76cbe9a9) or just `gpg --recv-key 6989CF77490369CFFDCBCD8995E7D75C76CBE9A9`
To verify the PGP integrity and signature:

To verify the integrity and signature:
```bash
gpg --recv-key 6989CF77490369CFFDCBCD8995E7D75C76CBE9A9
gpg --verify ~/Downloads/gpslogger-71.apk.asc
```

$ gpg --verify ~/Downloads/gpslogger-71.apk.asc

To verify checksum:
(Experimental) To verify with [Sigstore Cosign](https://docs.sigstore.dev/cosign/system_config/installation), the command should be in the releases notes, it will look like this:

```bash
cosign verify-blob gpslogger-132.apk \
--bundle gpslogger-132.apk.cosign.bundle --new-bundle-format \
--cert-oidc-issuer https://token.actions.githubusercontent.com \
--cert-identity https://github.com/mendhak/gpslogger/.github/workflows/generate-release-apk.yml@refs/head/master
```


To verify the checksum:

$ sha256sum -c ~/Downloads/gpslogger-71.apk.SHA256
```bash
sha256sum -c ~/Downloads/gpslogger-71.apk.SHA256
```



Setting up the code
Expand Down

0 comments on commit 445a966

Please sign in to comment.