Commit d6316232 authored by Hiro's avatar Hiro 🏄
Browse files

Update key fingerprint used to verify metrics library release.

parent 2c54cc7b
Pipeline #35978 passed with stage
in 2 minutes and 42 seconds
......@@ -43,8 +43,8 @@ verification process by example.
Download the release tarball and the separate signature file:
```
wget https://dist.torproject.org/metrics-lib/2.0.0/metrics-lib-2.0.0.tar.gz
wget https://dist.torproject.org/metrics-lib/2.0.0/metrics-lib-2.0.0.tar.gz.asc
wget https://dist.torproject.org/metrics-lib/<version>/metrics-lib-<version>.tar.gz
wget https://dist.torproject.org/metrics-lib/<version>/metrics-lib-<version>.tar.gz.asc
```
(Note that earlier tarballs were named descriptor-VERSION.tar.gz and could
......@@ -53,7 +53,7 @@ be found in https://dist.torproject.org/descriptor/.)
Attempt to verify the signature on the tarball:
```
gpg --verify metrics-lib-2.0.0.tar.gz.asc
gpg --verify metrics-lib-<version>.tar.gz.asc
```
If the signature cannot be verified due to the public key of the signer
......@@ -61,10 +61,14 @@ not being locally available, download that public key from one of the key
servers and retry:
```
gpg --keyserver pgp.mit.edu --recv-key 0x4EFD4FDC3F46D41E
gpg --verify metrics-lib-2.0.0.tar.gz.asc
gpg --keyserver pgp.mit.edu --recv-key 0x2B4075479596D580
gpg --verify metrics-lib-<version>.tar.gz.asc
```
Alternatively you can also download the key from Tor Project's DB:
https://db.torproject.org/fetchkey.cgi?fingerprint=DC399D73B442F609261F126D2B4075479596D580
If the signature still cannot be verified, something is wrong!
But note that even if it can be verified, you now only know that the
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment