Ensure security chain of RskJ source code

For Linux based OS (Ubuntu for example) it's recommended to install gnupg-curl in order to download the key through HTTPS.

1. Download RSK Release Signing Key public key. (use gpg v1 because gpg v2 has a bug with import throught https)

$ gpg --keyserver https://secchannel.rsk.co/release.asc --recv-keys 5DECF4415E3B8FA4
gpg: requesting key 5E3B8FA4 from https server secchannel.rsk.co
gpg: key 5E3B8FA4: public key "RSK Release Signing Key <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

2. Verify the downloaded key fingerprint

$ gpg --finger 5DECF4415E3B8FA4
pub   4096R/5E3B8FA4 2017-05-16 [expires: 2022-05-15]
      Key fingerprint = 1A92 D894 2171 AFA9 51A8  5736 5DEC F441 5E3B 8FA4
uid                  RSK Release Signing Key <[email protected]>
sub   4096R/A44DCC86 2017-05-16 [expires: 2022-05-15]
sub   4096R/5E488E87 2017-05-16 [expires: 2022-05-15]
sub   4096R/9FC3E7C2 2017-05-16 [expires: 2022-05-15]

3. Move to the root directory where the code was downloaded

4. Verify the SHA256SUMS.asc signature

$ gpg2 --verify SHA256SUMS.asc 
gpg: Signature made mar 16 may 2017 16:47:56 ART
gpg:                using RSA key 0x67D06695A44DCC86
gpg: Good signature from "RSK Release Signing Key <[email protected]>" [ultimate]
Primary key fingerprint: 1A92 D894 2171 AFA9 51A8  5736 5DEC F441 5E3B 8FA4
     Subkey fingerprint: D135 DDC0 B54D 6EF3 5901  52DF 67D0 6695 A44D CC86

5. Verify the configure.sh script

Linux:

$ sha256sum --check SHA256SUMS.asc 
configure.sh: OK
sha256sum: WARNING: 19 lines are improperly formatted

MacOs:

$ shasum --check SHA256SUMS.asc
configure.sh: OK
sha256sum: WARNING: 19 lines are improperly formatted

5. Run configure script to configure secure environment.

$ ./configure.sh